Good security practice requires user authentication on all systems and applications. It also requires users to logout or be locked out when they physically leave the area or leave the cyber asset idle for too long. Many OT environments and cyber assets don’t follow these good security practices for operational reasons. The security risks are alternately addressed through a combination of physical security controls and by having people physically present and responsible for detecting, preventing, and responding to unauthorized access. This works fine at manned sites, and runs into problems at unmanned sites.
This week’s task is to identify unmanned sites and to evaluate the sufficiency of the access control measures at these sites. Some examples of unmanned sites include:
- A pumping station, substation, or compressor station. These remote stations are common in SCADA systems and often are in remote locations that take hours to reach.
- A power station that is always run remotely or during nights and weekends.
- An area in a factory or plant that contains OT cyber assets and might be unmanned for many hours or days at a time.
Once you have identified all unmanned sites with OT cyber assets, verify that each has:
- The “require authentication” option turned on.
- An “idle timeout” set that will automatically log off users due to inactivity over that time period. The timeout interval is not nearly as critical as having it set to some time. What you are trying to avoid is a system left logged in for days, weeks, months, until the next time the site is visited.
- The default credentials have been changed.
If possible, set up accounts for multiple roles, such as Operator, Technician, Engineer and Administrator. Even better would be to set up individual accounts for each person who requires authenticated access. This may not be possible in the system or practical for the cyber maintenance philosophy.
These same good practices would apply to all OT systems and applications, but they are more important at unmanned sites.
Unmanned Site Authentication Idle Timeout Default Credentials Roles