Week 35 addressed user accounts for cyber assets at unmanned sites. This week you will perform a user account review on all OT systems as part of your OT cyber maintenance.
- Identify all OT applications, systems, and devices that have user accounts. These could be operating systems, virtualization platforms, applications, PLCs and other level 1 devices, firewalls, switches and other network devices.
- Identify the administrator(s) for each system and device.
- Ask the administrators the following questions and take the following actions:
- What is the default username(s) and password(s) for the system, application, or device? This is a good list for OT security to maintain.
- Have the default credentials been removed or replaced? If yes, perform sample auditing to verify. If no, create an action to remove or replace.
- Are there shared administrator accounts or other highly privileged shared accounts? If yes, is it technically and operationally feasible to issue individual accounts? If yes, create an action to establish individual accounts.
- Are there shared Operator accounts or other roles? If yes, how would actions be attributed to an individual? If operationally this cannot be done by issuing individual user accounts, develop an offline or online means to attribute any action to an individual. For example, cameras could record what individual was at an Operator Station or you could rely on Operator schedules.
Note: There may be older systems, particularly PLCs and other Level 1 devices, that do not support individual user accounts. Capture and maintain these systems in a document and periodically reevaluate the risk.