Many SCADA and DCS vendors are integrating their applications with Microsoft’s Active Directory. There are some benefits to this:
- Control system vendors no longer need to develop and maintain user management system and other directory services (typically not a core competency)
- Support for strong, two-factor authentication
- Group policy to harden OS platforms
- Single sign-on
However one of the benefits we often hear – – using the enterprise Active Directory eliminates the need to reenter users or maintain two sets of accounts – – requires at a minimum domain controller to domain controller communication between the enterprise and control center security zones. This communication can be exploited and a new Microsoft DNS vulnerability vividly points this out.
With this new vulnerability, that to date does not have a patch, an attacker who has gained access to the enterprise would be able to compromise an Active Directory domain controller on the enterprise. Once the attacker owns this box, he could launch attacks at Active Directory domain controllers on the control system because this communication must be allowed through the firewall. Since the domain controller on the control system is also vulnerable, the attacker would own this box as well and have a launching point for attacks on all systems in the control center.
Sometimes a vulnerability is not even required to cause this enterprise to control system problem. Many of the control systems that rely on Active Directory also rely on Active Directory’s DNS rather than hardcoding or otherwise providing name to address resolution. An innocent DNS change on the enterprise could cause control system devices to no longer know how to find each other. Similarly, a Group Policy change on the enterprise could have a negative impact on control system computers.
Digital Bond and many others in the SCADA security community have recommended for years a completely separate domain for control systems, when a domain is required. This control system domain should also not be in the same Active Directory tree or forest as the enterprise domain.