By now, it is understood that effective identity and access management (IAM) is critical to an organization’s cybersecurity program and is now considered “table stakes” for meeting minimum requirements for cyber insurance policies, Sarbanes-Oxley (SOX) compliance or alignment with industry leading security frameworks. A mature IAM program also provides significant operational efficiencies via automation of key processes such as on- and off-boarding users, providing self-service capabilities for password resets, access requests and controlling and automatically managing privileged accounts.
Historically, much of the focus for effective IAM has been limited to the organization’s corporate IT environment. But for many companies across industries such as oil and gas, power and utilities, healthcare and medical device manufacturing, industrial manufacturing and distribution, airlines and transportation, and others, there is a separate and unique environment – the operational technology (OT) environment which has its own set of human and non-human identities – that needs to be considered now more than ever.
OT environments traditionally have been more segmented from corporate IT and, in some cases, not even connected to a local or standalone network. But the needs of the business have led to more modern OT landscapes that are increasingly connected, accessible and comprised of applications, appliances and Internet of Things (IoT) devices that allow companies to better manage and optimize the management and control of their products. In many cases though, these applications and devices are managed locally within the OT environment by site-level personnel, which potentially results in two significant challenges:
- Inefficiencies in manual IAM processes that slow down access provisioning and deprovisioning (removal) to critical systems
- Lack of appropriate logical access controls for key OT assets, leading to increased risk of device or OT network compromise
So, what is the answer? Enterprise IAM solutions and capabilities can and should be extended from the IT to the OT environment but need to be done deliberately and meaningfully. Consider these factors when planning to introduce enterprise IAM services into any OT environment:
Collaborate! Corporate IAM/IT stakeholders need to partner with OT counterparts
Corporate IAM and IT stakeholders should partner with OT counterparts to understand the technology landscape of the organization’s OT environment. Understand key business and functional requirements and use cases in OT, including where today’s major pain points are, what the most critical assets and applications are and how the key systems in OT impact safety and production. OT processes typically have objectives focused on uptime, safety and reliability, which could require a shift in thinking or support models, compared to corporate IT. Workshops should cover key requirements, use cases and priorities across:
- Identity governance and administration (IGA)
- Privileged access management (PAM)
- Authentication and authorization
- Supportability of IAM initiatives for OT devices
- Operational impacts for IAM initiatives
Design IAM architecture to fit OT
Does the organization use a DMZ for network connectivity to OT site networks? Is there a separate and distinct network? What about performance considerations? Ensure that planning for the potential architectural expansion of the enterprise IAM solutions into OT includes:
- Deploying additional components of IAM tools into a DMZ or a separate instance inside the OT network in accordance with security requirements
- Solutioning for high availability and disaster recovery to meet the resiliency, performance and scalability requirements of the OT team
Understand the art of the possible
Not every OT system will be capable of integrating with enterprise IAM platforms. Today’s IAM vendors are not prioritizing backward compatibility to integrate with operating systems like Windows XP or RHEL.
While these operating systems are considered end-of-life and decommissioned in the IT world, the hard truth is that these legacy (and deprecated) operating systems are the very same systems that are relied upon to provide critical necessities such as clean water, mass transportation, electricity, telecommunications and many more products and services that we depend on as part of our everyday lives. Understand what can and cannot be integrated and plan accordingly.
Prioritize what can be integrated
Now that there is an understanding of what OT systems can be integrated, develop a prioritized plan. Key prioritization factors should include:
- What systems have the highest security risks, including:
- Poorly managed privileged and shared accounts, especially those to which vendors have access
- Weak authentication controls
- No governance over identity lifecycle, i.e., user access reviews, terminations
- What systems would provide the greatest operational wins, including:
- Significant volume of manual access requests or fulfillment tasks
- Frequent password reset or other authentication challenges due to lack of simplified or single sign-on
- What systems are most critical to operations or facility uptime. In some cases, these may not be the highest security risk but if compromised or otherwise offline would create the highest detrimental impact on the business.
Don’t neglect what cannot be integrated. For unique systems that cannot integrate with enterprise IAM solutions, there are still great local enhancements that can often be applied. National Institute of Standards and Technology (NIST) 800-63 provides guidance on how to effectively manage digital identities and access within an enterprise. Some leading practices that do not always require the use of enterprise solutions include:
- Enabling multi-factor authentication, particularly on remote or third-party access
- Using passphrases instead of complex passwords, and rotating regularly for privileged accounts
- Requiring secure hashing and encryption of authentication credentials
- Storing device identities and / or credentials, even if not fully automated and integrated into broader IAM services
Where controls like these cannot be applied, organizations should look for opportunities to use monitoring and alerting capabilities to identify potential threats. As mentioned, not every OT system leverages modern technology and further, occasionally the risk of enforcing enhanced IAM controls is outweighed by the potential adverse impacts if something goes wrong. IAM teams should avoid any controls that negatively impact the safety and reliability of site operations. Understand that not everything can or will integrate, and reliance on mitigating measures or controls may be required.
Establish roles and responsibilities
With a plan in place to integrate several OT systems into enterprise IGA, PAM and/or access management solutions, it is important to determine who is responsible for what. IT and OT teams must collaborate to agree upon future state roles and responsibilities for the ongoing management of the new environment. IT will likely assume ownership and responsibility for maintaining the IAM solutions themselves, but what happens in a break/fix scenario? What about scenarios where IAM solutions are installed onsite for better supportability and resiliency? Who is responsible for onboarding new applications or privileged accounts? Clearly defining a responsibility, accountability, consulted, informed (RACI) matrix is a component critical to the success of the newly integrated environment, but it requires participation and ownership of tasks from all impacted teams.
Bringing it all together
For organizations with OT environments, the systems or devices driving automation and production can be directly tied to the company’s ability to generate revenue. In many cases, the presence of security vulnerabilities such as IAM risks pose real-world threats to people’s well-being if compromised. With that in mind, careful consideration must be used to bring IT and OT stakeholders together to understand what can be done to extend IAM into OT, how it should be designed and what needs to remain as-is based on limiting factors or operational needs. Extending corporate IAM solutions into the OT environment can significantly benefit the organizational priorities of security, resiliency and safety as well as provide a model for IT and OT teams to collaborate effectively.
Protiviti can assist any organization in assessing its OT environments, IAM landscape and enterprise solutions, and can assist in developing the roadmap and implementing solutions to align IAM solutions across IT and OT.
Wesley Lee, Senior Manager – Security and Privacy, also contributed to this post.