Access Control Implementation in ICS


Industrial Control Systems (ICS) differ from traditional information technology (IT) systems, making the implementation of certain security controls difficult. Access Controls (AC) deal with how users or processes access the system. The National Institute of Standards and Technology (NIST) defines access controls as follows:

“The process of granting or denying specific requests for obtaining and using information and related information processing services for physical access to areas within the information system environment.” 

NIST Special Publication (SP) 800-82, Revision 2 is used to implement security controls in systems owned and used by the federal government. Those working on ICSes in a federal environment are bound to NIST standards. 

The Center for Internet Security (CIS) has created an implementation guide for Industrial Control System (ICS). They are currently on version 7. This guide is useful in helping those working in commercial ICS environments.

Below, we will discuss access controls and the best ways to implement them in ICS environments.

CIS access control implementation

CIS is used in non-federal environments. There are five controls listed that are applicable to access control implementation. They are described below:

CIS Control 4 — Controlled Use of Administrative Privileges

One of the ways potential hackers gain access to a system is by using phishing techniques to get a privileged user to open a malicious email and deliver the payload. Another is using the same technique on a less-privileged user and exploiting password weaknesses to elevate their privileges and wreak havoc on the system. 

This is why strong password policies and separation of duty practices are vital in protecting an ICS environment. Ways to implement this control include:

  • Implement multi-factor authentication
  • Enforce use of a 14+ character password or password with capitals, special characters and numbers
  • Remove all default admin accounts
  • Force admin users (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Tyra Appleby. Read the original post at: