ICS/SCADA Access Controls
Industrial controls systems (ICS) and supervisory control and data acquisition (SCADA) systems (a subset of ICS) manage our critical national infrastructure. Controlling logical access to these systems is not easy, given their often-distributed nature and the large number of employee and support roles needing access.
This article provides an overview of ICS logical access management challenges and ways to meet them, including network segmentation, risk-based access control and context-aware authentication and authorization.
Definitions
Before we continue, it is essential to understand the concepts and terms used in ICS (Stouffer, Pillitteri, Lightman, Abrams, & Hahn, 2015).
- Industrial control system (ICS): Using an array of technology and protocols, ICS controls include management of
- Industrial processes
- Delivery of electricity
- Delivery of water
- Processing of wastewater
- Delivery of natural gas
- Supervisory control and data acquisition (SCADA): A subset of ICS, SCADA is used to manage distributed systems, such as
- Water distribution
- Electrical utility transmission
- Rail and other public transportation
- Oil and natural gas pipelines
- Human-machine interface (HMI): The HMI is the interface used by humans to interact with ICS and SCADA systems and devices. It is the portal to the ICS/SCADA supervisory computers used for monitoring and control
Challenges
To ensure covering both ICS and SCADA, let’s imagine an example. The headquarters building includes a business office network, a business data center and the ICS network. The cloud represents the various ways an ICS organization might communicate with controls at distributed locations.
The networks are all connected via a core switch and all are potentially available to the internet. This can make the ICS and SCADA systems susceptible to cyber-intrusions started on remote or local user devices. This is a significant access control challenge associated with employees. However, this is not the biggest challenge.
Critical infrastructure requires access by (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Tom Olzak. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/KNYrM_CYsM4/