Too many user accounts are not properly managed
In many cases the factory default user accounts and passwords used in devices in industrial installations are unmanaged and remain unchanged. Shared and / or weak passwords are also an issue.
From a cybersecurity perspective, in today’s interconnected world, both factory default accounts and shared accounts represent a huge cybersecurity risk and are unacceptable. Besides cybersecurity concerns, both factory default and shared accounts can make control system management a nightmare for control system owners.
Consider the case in which a power outage occurs as a result of a changed configuration, but it cannot be established which employee actually changed the configuration because a shared account or a factory default account was used to access the system and make the change.
Another possible scenario is connected with a single employee leaving an organization. Since this member of staff knows a password that is shared by several other employees, a huge effort is required to change this shared password in a number of devices and locations, to ensure that the departing employee can no longer access the system. Last but not least, the remaining employees must also be informed of the new password, so that they can continue to carry out their work.
Legacy processes, tools and technologies can make it hard for security managers and system operators to change systems so as to adapt to and defend against new security threats. Security managers need proven standardized technologies and modern tools to move to the next level. Central user account management combined with Role Based Access Control (RBAC) is the perfect solution for managing user accounts and user permissions centrally and efficiently, while still providing a state of the art security solution. It also eliminates the nightmare of having unmanaged user accounts on hundreds of devices.
Technological change has brought both operational benefits and cybersecurity risks
Substation automation, protection and control systems have changed significantly in the past decade. Systems have become more interconnected and provide end users with much more information, resulting in higher reliability, increased levels of control and higher productivity. Interoperability between different vendor products and systems has been achieved by deploying products and solutions based on open standards such as publications from the IEC 61850 series, Communication networks and systems for power utility automation, or IEC 60870-5-104, Telecontrol equipment and systems – Part 5-104: Transmission protocols – Network access for IEC 60870-5-101 using standard transport profiles, and by leveraging proven Ethernet technology.
This change in technology has brought huge benefits from an operational point of view, but it has also exposed utilities to the kind of cybersecurity threats that have been confronting traditional enterprise systems for years. Cybersecurity is an essential component of modern networks, but fragmented access policies across network devices risk exposing critical vulnerabilities.
Careless practices make system access easy
The heterogeneous nature of automation networks has complicated tasks such as revoking staff credentials, or changing default passwords. Factory default accounts often remain unchanged after handover from manufacturer to customer, and may even remain unchanged on devices for their entire lifetime. Such practices and unchanged factory default accounts make it easy for an attacker to access devices rapidly and without needing to possess any special skills or knowledge.
Furthermore, most control and network devices provide logging capabilities to record what users have done, but if all actions are performed under the umbrella of a factory default account, then the logged information and audit trail say nothing about who has really performed which actions.
Setting the stage for a possible solution
Control system owners and managers would probably welcome positive answers to the following questions to ensure the security of their systems:
- Would you like to manage user accounts easily?
- Would you to like to administer new employees’ access and permissions in your company from a central point?
- Would you like to be able to remove or disable user credentials quickly from a single central location when an employee leaves your company?
- Would you like the changes you made in the central location to be immediately effective on all products from different vendors throughout your organization?
- Would you like to eliminate worry about default user accounts remaining active on unmanaged local devices?
The industry strikes back
Following demands from the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) Standards, and many other cybersecurity requirements, the industry is adopting a common path to the future: IEC TS 62351-8: Power systems management and associated information exchange – Data and communications security – Part 8: Role-based access control. This Technical Specification sets out how vendors should implement and provide RBAC and central user account management to their customer base.
Since the arrival of IEC TS 62351-8 in 2011, users have been able to authenticate themselves across their organization to all devices in all networks, with a user-specific and unique user-id and password. Moreover, the addition or removal of users is done centrally, in a single step.
This technology offers not only the central management of user-ids and passwords, but also the management of user permissions by assigning roles to users, depending on their job roles in the organization (RBAC).
Possible solution for a nightmare scenario
Control systems need to be managed to ensure sustainable infrastructures. Managing a system means continually keeping its devices up-to-date.
The management of a cybersecurity policy can become complex; therefore to be efficient, security managers need support from software applications. A Role Based Access Control system is such an application. RBAC allows responsible persons to be able to manage users and their roles consistently from a central point – even for multiple control systems in different locations.
Not everybody needs to be a system administrator. A common sense approach in cybersecurity management is to grant the fewest possible privileges to every user. A RBAC system based on IEC TS 62351-8 enables the person responsible for security in a company to manage users for the entire system and assign roles to those users from one place.
IEC 62351 is a series of technical security International Standards that aims to secure power system-specific communication protocols such as IEC 61850 or IEC 60870-5-104. While most parts of the series have been released, more work is needed before systems compliant to IEC 62351 can be put on the market. IEC 62351-8, finalized and published in 2011, defines RBAC for power systems. This is not a new concept; it is in fact part of best practice in many IT systems. The use of RBAC in power systems makes it possible to reduce the number of permissions that have to be assigned to certain users so that these users have only the permissions they need to perform their duties. This reduces the risk to the power system, as permissions are only assigned when they are actually needed, according to the principle of fewest privileges. The standard also defines a list of pre-defined roles (e.g., Viewer, Operator, etc.) and of pre-defined rights.
Adhering to International Standards as closely as possible
To ensure high quality and dependable cybersecurity functionality in heterogeneous installations, it is fundamental to adhere to International Standards as far as possible. A high level of cybersecurity can only be achieved by deploying and using reviewed, approved and standardized technologies and methods, especially when installing devices from different vendors. Utilities not following such a wise path can find themselves locked in to a single supplier offering proprietary solutions.
Cybersecurity cannot be optimized without knowing everything that is going on in the system. Security related events, like access and other user activities in different system components, need to be monitored to identify potential attacks and to optimize protection. Central user activity logs collect cybersecurity related events from the system devices and make the information available to responsible personnel. An efficient and user-friendly approach, such as automatic recognition of event patterns, is a key feature of such monitoring applications.
State of the art cybersecurity products based on International Standards such as IEC TS 62351-8 enable efficient RBAC management of user accounts in multi-vendor control systems. They provide utilities with real-time visibility of the security-relevant user activity within their systems.
Proprietary cybersecurity implementations should be avoided for seamless integration of multi-vendor control systems. The adoption of interoperable solutions that accord to IEC TS 62351-8 makes performing these tasks much easier.
About the authors
Frank Hohlbaum – Security Manager Grid Automation,ABB Switzerland Ltd.
Frank is globally responsible for all aspects of cybersecurity within ABB’s Power System Substations and drives the security activities in this business unit. He is an active member of the Power System Security Council and represents the business unit Power System Substations. Frank Hohlbaum joined ABB in 1996 and has 20 years’ experience in substation automation. Frank is a Member of IEC Technical Committee (TC) 57/Working Group (WG) 3: Telecontrol protocols.
Bart de Wijs – Head of Cybersecurity for ABB's Power Grids Division.
Bart represents this division in the ABB Group Cybersecurity Council, which is a cross-disciplinary team staffed with resources from various corporate functions. Additionally, he is a member of the ABB Cybersecurity Response Team, handling vulnerabilities and incidents. Within the division he leads a team of cybersecurity specialists dealing with the different aspects of all the security-related concerns that could affect ABB customers. He is a member of various cybersecurity expert groups. Between 2007 and 2010 Bart was responsible for cybersecurity in ABB’s Power Generation business unit.
Fernando Alvarez – Cybersecurity Technical Product Manager,ABB Switzerland Ltd.
Fernando is responsible for supporting the development of different cybersecurity technologies in ABB products and for managing and tracking ABB’s cybersecurity intellectual property. He is also an active member of IEC TC57/WG15: Data and communication security, the IEC group working on the IEC 62351 series of International Standards for power systems management and associated information exchange. Previously Fernando worked on securing the internal IT infrastructure of banks and on securing military communications.