During Cyber Security Awareness Month, the concept of dealing with Security can appear to be a very high and very wide cliff face, with no seemingly obvious path to the top.
To ease you onto a path, we are going to map out one specific security aspect to focus on
You have probably become familiar with terms like ‘2FA’, ‘MFA’ and maybe ‘SSO’. These are all lovely abbreviations, that for the initiated are the bread and butter of the identity aspects of cyber security.
Currently you likely have a username, and a password to access a wide range of websites, computers and services. From your Netflix account, to the payroll application, you gain access to these platforms, as “you”, by simply knowing your username and password.
If you have been paying attention to the last few decades of IT happening, it has become more than apparent that this simple combination of username and password have proved to be shockingly weak at actually preventing nefarious actors from logging in as “other” people.
The attack strategies to gain access as “someone else” have become well known methods, with their own terminology e.g.
· Brute force attacks (Trying every password possible until eventually guessing correctly)
· Dictionary attacks (Operates under the assumption that people are predictable, pulls from a list of basic passwords, or combinations of words, sometimes specific to the targets interests)
· Phishing (Using “Social Engineering” to send fraudulent messages to trick the receiver into revealing sensitive information)
· Impersonation (This is a type of Phishing attack where a legitimate sender is impersonated in order to lure the receiver into clicking or downloading a malicious link or attachment)
So, what can you do to protect yourself from these types of attacks?
A common strategy around identity, is to require a ‘second factor’ to prove you are who you are. In the early days this was a small plastic fob, with a button that spat out 6 random numbers. By adding this measure, the risks of someone accessing your accounts were mitigated.
The concept here is to combine “something you know” with “something you have”. While a malicious third party may guess or trick you out of the “something you know” they would need to go to somewhat more effort to gain the “something you have”. This combination of “an additional factor” also known as Two Factor Authentication (or the more future proof Multi Factor Authentication) is meant to increase the strength of the barrier attackers must overcome to gain unauthorized access to your accounts.
The aim here is to have multiple requirements, and for it to be harder for an attacker to be able to compromise all of them, and hence, impersonate you.
While there are proxy, spam and man-in-the-middle attacks that aim to compromise MFA techniques, the key takeaway here is that additional factors of authentication raise the difficulty for someone to take over your identity significantly.
In a lot of industrial control systems, we end up with every device having a separate local password system and these devices commonly have shared accounts or common passwords. This makes the “should you be accessing this device?” or “who is accessing this device?” question almost impossible to answer.
Having a controlled and managed common directory of users that all devices draw from, allows us to sanely manage complex control networks and have some hope of maintaining visibility of OT staff access devices and networks.
When you manage identity well, and apply these identities across your OT and IT networks, you can start from a solid basis for the rest of a good security framework. You have essentially “solved” the ‘who’ part of the security works in front of you.
The Power of IXID
This is why at OpusV when looking at bringing our talents to bear on the issue of Cyber security on the power generation and industrial control fields, we started with the identity question.
We needed a platform that allowed non-IT people to administer, create and remove access to specific identities, external or internal.
We needed a simple identity enrolment system, that had MFA baked in from the beginning.
Then we needed key integrations so that that RTU’s, switches, SCADA and protection systems would link in with these “extra”-factor protected identities.
We called this product IXID, and its made the job of securing grid connected assets so much easier!