Access Control and Identity Management
Overview
Access Control and Identity Management are vital in OT environments to prevent unauthorized access, maintain system integrity, and secure critical operations. Given OT’s unique constraints—such as the need for generic accounts like Operator and Supervisor—access controls must balance security with operational requirements.
Standards like IEC 62443-3-3 and regional mandates such as NCA OTCC and UAE CSC emphasize both technical and procedural controls to manage access across OT systems, from engineering workstations (EWS) to programmable logic controllers (PLCs) and network infrastructure.
Importance
In industrial settings, where availability and safety are paramount, access control helps prevent unauthorized interactions with control processes. However, OT often requires shared accounts, and not all systems can enforce unique user IDs (UUIDs). This increases reliance on compensating procedural controls, such as strict monitoring and access logging. Effective access management not only mitigates insider threats but also reduces risks associated with external maintenance and third-party access, aligning with IEC 62443-3-3 FR1 and FR2 requirements.
- IEC 62443-3-3 SR 1.1 and SR 2.1: Enforce User Access Management and limit access to authorized users, with role-based controls to manage privileged access across OT systems.
- IEC 62443-3-3 SR 1.1 RE 1 (Use of Unique Accounts): While unique accounts may not always be feasible in OT, this requirement highlights the need for traceability and accountability. In cases where UUIDs aren’t possible, stringent procedural controls like logging and monitoring are recommended.
- IEC 62443-3-3 SR 1.3 (Account Management): Ensure the creation, modification, and deletion of accounts follows strict controls. This is especially relevant in OT where generic accounts (e.g., Operator, Supervisor) are common, requiring compensating procedural controls.
- IEC 62443-3-3 SR 1.1 RE 2 (Multifactor Authentication for Untrusted Networks): Requires multifactor authentication (MFA) for higher privilege levels, which is critical in OT environments for secure access to control system elements.
- IEC 62443-4-2 CR 1.1 and CR 1.3: Apply role-based access and integrate systems with centralized directories like Active Directory to ensure consistent user management across OWS, EWS, and server levels.
- IEC 62443-4-2 CR 1.5: Secure default accounts by modifying credentials on OT devices, including PLCs, sensors, and network modules, to prevent unauthorized access.
- IEC 62443-4-2 CR 1.2 and CR 7.6: Harden network modules and web interfaces, disabling unnecessary services and enforcing access policies to protect against unauthorized interactions with critical OT assets.
- IEC 62443-4-2 CR 2.1 (Control of Access Permissions): Applies to engineering workstations, HMIs, and remote workstations. All access must be controlled based on job role, authorization level, and only as necessary, following a strict least-privilege principle.
Our Approach
CS4 offers a robust Access Control and Identity Management solution tailored for OT environments.
- Active Directory (AD) Integration: Integrating all Operator Workstations (OWS), Engineering Workstations (EWS), and servers with AD centralizes access management. This aligns with IEC 62443-3-3 FR1 and FR2 by enforcing role-based access control (RBAC), MFA for secure remote access into your L3.5 iDMZ, and password complexity. For maintenance and third-party workstations that aren’t connected to the core network, we implement isolation policies to restrict access based on IEC 62443-2-1:2024 NET 3 – Secure Remote Access.
- Procedural Controls for Shared Accounts: Given OT’s reliance on shared accounts like “Operator” or “Supervisor,” procedural controls such as access logging, regular password changes, and activity monitoring are implemented to compensate for UUID limitations. These procedural steps align with NCA OTCC and UAE CSC guidelines for ensuring accountability in shared environments.
- Default Account Management: Default and vendor-supplied accounts across PLCs, sensors, DCS applications, and network infrastructure are secured by enforcing password changes and disabling unnecessary accounts. This practice is mandated by IEC 62443-4-2 CR 1.5 and protects devices from unauthorized access via unchanged default credentials, including wireless HART modules and web-enabled network, controller, and sensor interfaces.
- Isolated Access for Unconnected Systems: For maintenance and third-party devices that do not connect to AD, CS4 deploys isolated network segments with access limitations, reducing the risk from potentially vulnerable or compromised external workstations. This approach is in line with IEC 62443-3-2’s requirements on network segmentation and zone-based access control.
- Network Module and Web Interface Security: CS4 enforces secure configurations on network modules and web interfaces for devices such as PLCs, SCADA systems, and actuators, many of which are often overlooked. We apply hardened configurations, disable unused services, and implement role-based permissions to secure these interfaces in compliance with IEC 62443-4-2 CR 1.2 and CR 7.6.
Our Capabilities
Our Access Control and Identity Management solutions are designed to meet industry-specific needs.
- Oil and Gas: Securing DCS systems and SCADA infrastructure with AD integration, strict access policies, and procedural controls for shared accounts, maintaining availability and safety.
- Energy and Utilities: Implementing robust controls on energy grids and substations, with isolated access for maintenance teams and AD integration for core components.
- Maritime: Protecting navigation and engine control systems with AD, device control, and strict procedural policies for shared access on the high seas.
- Chemical: Restricting access to sensitive control equipment with host-based firewalls, AD, and strict password policies on critical chemical processing systems.
- Manufacturing: Implementing isolated access for third-party maintenance on robotic systems, with network segmentation and whitelisting for connected machinery.
CS4’s Access Control and Identity Management solutions help ensure secure, reliable, and compliant OT operations. Our approach provides:
- Centralized management via AD, securing OT systems while maintaining ease of access.
- Procedural controls for accountability with shared accounts.
- Compliance with industry standards to protect critical infrastructure.