Access control is one area where ICS have had robust security controls for decades. These access controls can be customized down to the point or tag level, although this is rarely required. Remember our goal is to enforce least privilege. A user should only be able to do what they are required and authorized to do. Nothing more.
This week’s task is to review your systems’, applications’, and devices’ access control capabilities. Are they being used to create a least privilege access control regiment?
Common access control capabilities in ICS include:
- Role Based Access Control: Most ICS have pre-configured roles such as Operator, Administrator, Engineer, and View Only. Most also allow you to customize the privileges in these roles and create new roles. Think about the ICS roles in your organization. Who should be able to do what? If necessary, modify or create roles to match these needs and then put each user account into the appropriate role.
- Station Based Access Control: Are there Operator Stations in exposed parts of the plant where even an authorized user should not perform certain functions? For example, Operators may only be authorized to perform operational functions in the control room. There may be an HMI on the plant floor that should be restricted to View Only regardless of who is using this station. Or you may want this station on the plant floor to operate nearby physical assets and have View Only for the rest of the plant. Station Based Access Control can enforce these restrictions.
- Area of Control: If your ICS has multiple processes, each administered and operated by a different team, you should consider Area of Control. You can group tags or points into an Area, and then assign privileges to the Area.
- Time Based Access Control: While many ICS support restricting user accounts based on time of day and day of week, it is rarely used due to requirements for emergency access. If you have users who only should have privileges at certain times, consider time based access control.
While you want to implement least privilege, don’t make it unnecessarily complicated and be careful not to prevent required access and capabilities. In general, the benefits and complexity of access control grow as you have more people and more cyber assets.
Note: Make sure you understand the priority of assignment in the access control regiment. For example, most systems will prioritize Station Based over Role Based if there is a conflict.
Describe your OT access control approach.