Preventing a Cybersecurity Nightmare
Frank Hohlbaum, Bart de Wijs and Fernando Alvarez | July 14, 2016Cybersecurity is now central to the safe operation of industrial installations. But user accounts for many of the devices put to work in these installations are not properly managed.
Central user account management combined with role-based access control represents what may be the perfect solution for managing user accounts and permissions efficiently and centrally while still providing state of the art security. Adopting this type of approach may eliminate the nightmare of having unmanaged user accounts on hundreds of devices.
In many cases the factory default user accounts and passwords used in devices in industrial installations are unmanaged and remain unchanged. Shared and/or weak passwords are also an issue.
From a cybersecurity perspective, both factory default accounts and shared accounts represent a huge cybersecurity risk and are unacceptable. Besides cybersecurity concerns, factory default and shared accounts can make control system management a nightmare for system owners.
Too Many User Accounts
Consider the case in which a power outage occurs as a result of a changed configuration, but in which it cannot be established which employee actually made the change. This is because a shared account or a factory default account was used to access the system and make the change.
Now consider another possible scenario in which an employee who leaves an organization. Because this staff member knows a password that is shared by several other employees, a not insignificant effort is required to change this shared password in a number of devices and locations to ensure that the departing employee longer has access to the system. What’s more, the remaining employees must be informed of the new password so that they can continue to carry out their work.
Legacy processes, tools and technologies can make it hard for security managers and system operators to change systems to adapt to and defend against new security threats. Security managers need proven and standardized technologies to move to the next level.
Technological change has brought both operational benefits and cybersecurity risks. Substation automation, protection and control systems have changed significantly in the past decade. Systems have become more interconnected and provide end users with much more information, resulting in higher reliability, increased levels of control and higher productivity. Interoperability between different vendor products and systems has been achieved by deploying products and solutions based on open standards such as publications from the IEC 61850 series, Communication networks and systems for power utility automation, or IEC 60870-5-104, Telecontrol equipment and systems – Part 5-104: Transmission protocols – Network access for IEC 60870-5-101 using standard transport profiles, and by leveraging proven Ethernet technology.
This change in technology has brought huge benefits from an operational point of view. But it also has exposed utilities and other process industries to the kind of cybersecurity threats that have confronted traditional enterprise systems for years. Cybersecurity is an essential component of modern networks, but fragmented access policies across network devices risk exposing vulnerabilities.
Careless Practices
The heterogeneous nature of automation networks has complicated tasks such as revoking staff credentials or changing default passwords. Factory default accounts often remain unchanged after handover from manufacturer to customer, and may even remain unchanged on multiple devices for their entire lifetime. Such practices make it easier for an attacker to access devices and without the need to possess any special skills or knowledge.
Furthermore, most control and network devices provide logging capabilities to record what users have done. But if all actions are performed under the umbrella of a factory default account, then the logged information and audit trail may say nothing about who actually has performed which actions.
Setting the Stage
Control system owners and managers would probably welcome positive answers to the following questions to ensure their systems’ security:
- Would you like to manage user accounts easily?
- Would you to like to administer new employees’ access and permissions in your company from a central point?
- Would you like to be able to remove or disable user credentials quickly from a single central location when an employee leaves?
- Would you like any changes made in the central location to be immediately effective on all products from different vendors throughout the organization?
- Would you like to end worries about default user accounts remaining active on unmanaged local devices?
Following demands from the North American Electric Reliability Corp. – Critical Infrastructure Protection (NERC-CIP) standards and many other cybersecurity requirements, industry is adopting a common path to the future: IEC TS 62351-8: Power systems management and associated information exchange – Data and communications security – Part 8: Role-based access control. This technical specification sets out how vendors should implement and provide RBAC and central user account management to their customer base.
Since the arrival of IEC TS 62351-8 in 2011, users have been able to authenticate themselves across their organization to all devices in all networks with a user-specific and unique user-id and password. Moreover, adding or removing users is done centrally in a single step.
This approach offers not only the central management of user IDs and passwords, but also the management of user permissions by assigning roles to users depending on their job roles in the organization.
Solution for a Nightmare Scenario
Control systems need to be managed to ensure sustainable infrastructures. Managing a system means continually keeping its devices up-to-date.
The management of a cybersecurity policy can become complex; therefore to be efficient, security managers need support from software applications. A role-based access control system is such an application. RBAC allows responsible persons to manage users and their roles consistently from a central point, even for multiple control systems in different locations.
Not everyone needs to be a system administrator. A common-sense approach in cybersecurity management is to grant the fewest possible privileges to every user. An RBAC system based on IEC TS 62351-8 enables the person responsible for security to manage users for the entire system and assign roles to those users from one place.
IEC 62351 is a series of technical security international standards that aims to secure power system-specific communication protocols such as IEC 61850 or IEC 60870-5-104.
While most of the series has been released, more work is needed before systems compliant to IEC 62351 can be put on the market. IEC 62351-8, finalized and published in 2011, defines RBAC for electric power systems. The use of RBAC in power systems makes it possible to reduce the number of permissions that have to be assigned to certain users so that these users have only the permissions they need to perform their duties. Doing so reduces the risk to the power system, as permissions are only assigned when they are actually needed, according to the principle of fewest privileges. The standard also defines a list of pre-defined roles (for example, viewer, operator, and so on) and pre-defined rights.
Adhering to International Standards
To ensure high quality and dependable cybersecurity functionality in heterogeneous installations, it is fundamental to adhere to international standards as much as possible. A high level of cybersecurity can only be achieved by deploying and using reviewed, approved and standardized technologies and methods, especially when installing devices from different vendors. Utilities not following such a path may find themselves locked in to a single supplier that offers only proprietary solutions.
Cybersecurity cannot be optimized without knowing everything that is going on in the system. Security related events, like access and other user activities in different system components, need to be monitored to identify potential attacks and to optimize protection. Central user activity logs collect cybersecurity-related events from system devices and make the information available to responsible personnel. An efficient and user-friendly approach, such as automatic recognition of event patterns, is a key feature of many such monitoring applications.
State-of-the-art cybersecurity products based on international standards such as IEC TS 62351-8 enable efficient RBAC management of user accounts in multi-vendor control systems. They provide utilities with real-time visibility of the security-relevant user activity within their systems.
Proprietary cybersecurity implementations should be avoided for seamless integration of multi-vendor control systems. The adoption of interoperable solutions that accord to IEC TS 62351-8 may make performing these tasks much easier.
Authors:
Frank Hohlbaum – Security Manager Grid Automation, ABB Switzerland Ltd. Frank is globally responsible for all aspects of cybersecurity within ABB’s Power System Substations and drives the security activities in this business unit. He is an active member of the Power System Security Council and represents the business unit Power System Substations. Frank joined ABB in 1996 and has 20 years’ experience in substation automation. He also is a Member of IEC TC 57/WG 3: Telecontrol protocols.
Bart de Wijs – Head of Cybersecurity for ABB's Power Grids Division. Bart represents this division in the ABB Group Cybersecurity Council, which is a cross-disciplinary team staffed with resources from various corporate functions. Additionally, he is a member of the ABB Cybersecurity Response Team, handling vulnerabilities and incidents. Within the division he leads a team of cybersecurity specialists dealing with the different aspects of all the security-related concerns that could affect ABB customers. He is a member of various cybersecurity expert groups. Between 2007 and 2010 Bart was responsible for cybersecurity in ABB’s Power Generation business unit.
Fernando Alvarez – Cybersecurity Technical Product Manager, ABB Switzerland Ltd. Fernando is responsible for supporting the development of different cybersecurity technologies in ABB products and for managing and tracking ABB’s cybersecurity intellectual property. He is also an active member of IEC TC57/WG15: Data and communication security, the IEC group working on the IEC 62351 series of International Standards for power systems management and associated information exchange. Previously, Fernando worked on securing the internal IT infrastructure of banks and on securing military communications.