Credential management in Control Systems

The access to control systems can be done in many different ways. Local accesses are usually performed by the operator, which makes all connections; but there can also be remote connections, from engineering stations for example, or even from outside, when suppliers or manufacturers perform maintenance tasks. Finally, this results in the control systems credentials being exposed and known by too many people, therefore keeping very often default credentials to facilitate management.

Common problems with credentials

Easy passwords used within control systems is just one of the many problems affecting credentials. Among them, the following are specially noteworthy:

• Use of default passwords: It is common for remote located devices to have default passwords. This allows operators to access them without having to know their location, since all devices have the same login credentials.
• Use of shared passwords: Many devices do not even allow multiple users and, other times, this is simply done to improve the efficiency of the maintenance or support team, for example. It's common practice to share credentials among several physical users. This prevents traceability of the actions carried out and allows users to know access credentials even after they have left the company.
• Increased use of credentials: More and more applications and users need credentials to access control systems. This involves a greater transfer of authentication information through the network, which, in case of not being correctly insured, may lead to the disclosure of credentials.
• Use of privileged credentials: The use of accounts – with administrator permissions or similar – to access different components of control systems continues to grow and many times this becomes unmanageable, preventing the correct management and monitoring of actions. Maintenance staff, manufacturers, operators, control engineers, automatic processes and corporate applications are some examples of the use of privileged accounts.
• Embedded passwords: The introduction of general purpose equipment not specifically designed for the process has allowed saving costs and improving compatibility, but it has also led to an increased use of embedded passwords. This increases the risk of comprise and unauthorised accesses throughout the system, which may lead to the manipulation of devices, code execution or to a denial of service.

Improvements and challenges

The correct management of credentials within an industrial control system has several implications –from those due to the complexity of its management to the economic ones.

• Increased risk of a system crash: Commercial equipment used such as HMI, servers and workstations are the main risk points within industrial networks. Equipment connecting with the corporate network and their configuration represent the second critical point. Both may be subject to compromise of privileged credentials used in the different accesses.
• Increased operational costs: The implementation of security measures and controls without proper preparation may result in increased maintenance and management times, as well as difficulties for scaling the proposed solutions.
• Regulations and standards: Critical infrastructures must comply with specific regulations and prove their level of compliance to the competent authority. It is therefore necessary for built-in tools in said infrastructures to be able to generate indicators capable of helping in these processes.
• Privileged accounts: All devices and software have privileged accounts. The risk arises when accounts are no longer correctly managed, are known by too many people or aren't robust enough.

To help us deal with these problems there are specific tools called credential managers. These tools have been used for a long time in IT environments, but have recently started to be implemented in OT environments. This is mainly due to the way of managing urgency accesses, which require an immediate authentication to solve problems arising during the process.

Credential manager features

When choosing a credential management tool, a requirement should be that it covers some basic aspects of the industrial control systems operation:

• Discovery of credentials: Many control systems are not correctly inventoried, so their existence or real users may be unknown. The credential management solution must be able to recognise and store those credentials found in the network or through the equipment monitoring. This discovery process –to load the tool's users database– must be the initial phase.
• Concealment of credentials: Control systems users should not know access credentials at any time, or at least the password. This way, disclosing said information to manufacturers and maintenance employees would not be necessary, avoiding thus the need to update them if the maintenance company or operators change. This measure also helps to avoid internal threats from unhappy employees, who, for their knowledge, may perform malicious actions.
• Periodic rotation of keys: this additional security measure limits the temporal validity of the passwords, reducing this way the risk of theft. A credential management tool should perform this task automatically and programmable, enabling keys to be more frequently changed than usual in common control systems facilities.
• Registration of accesses: The use of shared credentials makes attribution of the actions performed on devices difficult. The credential management solution must be able to register the identity of the physical user who has used the credentials stored, usually through the corporate user with which the credential management tool is accessed.
• Single access point: The credential management solution must be the place receiving all requests to any device of the control system, being the solution the one checking, on the one hand, if the specific user has access to the requested device/application and, on the other hand, introducing credentials with adequate privileges and referring the user to the device/application already authenticated.

Commercial tools

The market of credential manager solutions is not very much aimed at control systems, but there are certain specific solutions and others common to IT environments that also have some kind of support for industrial control systems. Solutions from IT environments are limited to the management of privileged credentials discovery, lacking the rest of necessary capacities in control systems.

Some of the existing commercial options are:

• Shared account password management, by Centrify
• Shell Control Box, by Balabit
• Privileged Password Manager, by Quest
• PowerBroker Password Safe, by beyondtrust
• CyberArk Privileged Account Security, by CyberArk

The correct management of security within devices and control systems applications requires knowing when, why, for what and who is using specific credentials. The implementation of tools allowing the control of said task must be considered in order to improve the security level and facilitate monitoring, enabling the discovery of potential attacks or data leaks.