managing and securing remote access to critical infrastructure, yariv lenchner of cyberark
DESCRIPTION
The session will cover the security risks and issues around the management and usage of privileged/interactive user remote access and will cover the following topics: - Management of generic and shared accounts (and their users) - Remote interactive access to critical systems (e.g. vendor support) - Current typical jump server implementations and its security weakness - Isolation, Monitoring and Control over interactive/privileged sessions - Recommended design and implementation of jump servers The session will cover the security issues and the proposed solutions.TRANSCRIPT
Securing Remote Access to OT/ICS Systems
Yariv Lenchner
Sr. Product Manager
CyberArk Software
Current ICS Security Status
▪ We all know that many ICS systems and devices are vulnerable to cyber attacks
▪ There are many reasons for this:■ Preferring system availability over security■ Lack of focus on security during development■ No or very little patching to systems in production environments
▪ The usual advice and best practice was to isolate, isolate, isolate!
Can We Really Isolate All Critical Networks?
▪ The assumption that our critical network is isolated is very problematic:
■ Removable media■ Mistakes and temporary
connections■ Remote access
▪ How do we design a truly secure remote access system?
▪ A design that will also help secure against the first two types of threat
The Homegrown Proxy Server
▪ The typical and most popular solution is a homegrown proxy server
▪ Usually deployed as an entrance point to the critical network
▪ Let’s go over some of the security challenges with this popular deployment and how to solve them
1) The “All or Nothing” Challenge
▪ The remote proxy usually serves as a access point to multiple users with different target devices and different privileges
▪ Once access to the proxy is granted, the remote user usually has unlimited access to all resources or devices on the critical network
▪ Recommendation: ■ Implement granular restriction of users to connect to specific systems
only
2) The Shared Account Issue
▪ Many resources on the critical network are being managed through shared privileged accounts (IEDs, HMIs, Applications, Routers, Servers, FWs…)
▪ Remote access users usually use the same shared and privileged accounts
▪ Managing passwords on shared accounts that have internal and remote users becomes a serious issue
▪ Results:■ Passwords are not updated■ No track of who knows a password■ Updating passwords brings the risk of not knowing a password in an
emergency■ No accountability
▪ Recommendation: ■ Implement and enforce the usage of users on the proxy server
“…100% of breaches involved stolen
credentials.”
“APT intruders…prefer to leverage privileged accounts
where possible, such as Domain Administrators, service accounts
with Domain privileges, local Administrator accounts, and privileged user accounts.”
Mandiant, M-Trends and APT1 Report
3) Workflow and Policy Enforcement
▪ Remote access to the proxy server is available at any time to anyone who has access to it
▪ Policies that control the access process are manual and hard to enforce
▪ Different policies exist for different users and systems
▪ Homegrown proxy servers usually do not enforce policies that consider:■ Time of day■ Length of remote session■ Access request reason■ Manager’s approval
▪ Homegrown proxy servers do not keep any kind of log about the request reason or on the approval
▪ Recommendation: Implement a proxy server with policy enforcement and dual control capability
4) Monitoring and Control
▪ Once access is granted, there is very little control over what the remote user is actually doing
▪ There is no real time over-the-shoulder monitoring capability
▪ No real records of everything that is being done during a remote session
▪ No quick and easy capability to terminate a remote session immediately
▪ Recommendation:■ The proxy server should allow a certified
supervisor to monitor and control real-time remote sessions
■ The proxy server should be able to video record the session for future review
5) Are You Sure There Are No Bypasses?
▪ The Million Dollar Question:■ Are you sure there is no other way to access the critical devices on the
critical network?
▪ If the proxy is bypassed, the last line of defense is the privileged account password
▪ Passwords tend to be guessed, stolen, hijacked, found or even given away
▪ Recommendation:■ Privileged passwords should be stored, managed and only known to the
proxy server itself
6) Analytics and SIEM Integration
▪ Malicious activity passing through the proxy server can continue for long periods while going undetected
▪ A typical proxy server is not capable of detecting anomalies in remote connections made through it
▪ Recommendation: ■ The proxy server should be able to compare current remote access
activity to historical activity in real time ■ Detection of anomalies as they happen allows the incident response
team to respond and disrupt the attack
Securing Remote Access into ICS Networks
CyberArk’s Privileged Session Manager (PSM)
Securing Access Into the ICS/OT Network
DMZ
CorporateNetwork
Corporate User
Third party vendor
DMZ firewall
ICS firewall
ICSNetwork
PSM
Vault
PasswordSessionRecording
UNIXServers
Databases SCADA Devices
Routers& Switches
WindowsServers
Web Portal
VPN
Supervisor
Summary
▪ Remote Access – Many critical networks need some type of remote access
▪ It is better to implement a secure remote access solution than to ignore the need for one and end up using non-secure methods
▪ NERC CIP v5 includes new requirements for the proxy server (the intermediate device) – use the new requirements to build the appropriate solution
▪ Align your secure remote access methods with privileged password management to minimize the risk of attack
Questions?
