Your SlideShare is downloading. ×
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchner of CyberArk
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchner of CyberArk

363
views

Published on

The session will cover the security risks and issues around the management and usage of privileged/interactive user remote access and will cover the following topics: …

The session will cover the security risks and issues around the management and usage of privileged/interactive user remote access and will cover the following topics:

- Management of generic and shared accounts (and their users)
- Remote interactive access to critical systems (e.g. vendor support)
- Current typical jump server implementations and its security weakness
- Isolation, Monitoring and Control over interactive/privileged sessions
- Recommended design and implementation of jump servers

The session will cover the security issues and the proposed solutions.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
363
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securing Remote Access to OT/ICS Systems Yariv Lenchner Sr. Product Manager CyberArk Software
  • 2. Current ICS Security Status ▪ We all know that many ICS systems and devices are vulnerable to cyber attacks ▪ There are many reasons for this: ■ ■ ■ Preferring system availability over security Lack of focus on security during development No or very little patching to systems in production environments ▪ The usual advice and best practice was to isolate, isolate, isolate!
  • 3. Can We Really Isolate All Critical Networks? ▪ The assumption that our critical network is isolated is very problematic: ■ ■ ■ Removable media Mistakes and temporary connections Remote access ▪ How do we design a truly secure remote access system? ▪ A design that will also help secure against the first two types of threat
  • 4. The Homegrown Proxy Server ▪ The typical and most popular solution is a homegrown proxy server ▪ Usually deployed as an entrance point to the critical network ▪ Let’s go over some of the security challenges with this popular deployment and how to solve them
  • 5. 1) The “All or Nothing” Challenge ▪ The remote proxy usually serves as a access point to multiple users with different target devices and different privileges ▪ Once access to the proxy is granted, the remote user usually has unlimited access to all resources or devices on the critical network ▪ Recommendation: ■ Implement granular restriction of users to connect to specific systems only
  • 6. 2) The Shared Account Issue ▪ Many resources on the critical network are being managed through shared privileged accounts (IEDs, HMIs, Applications, Routers, Servers, FWs…) ▪ Remote access users usually use the “APT intruders…prefer to same shared and privileged accounts leverage privileged accounts “…100% of breaches where possible, such as Domain ▪ Managing passwords on shared accounts that have internal and involved stolen Administrators, service accounts remote users becomes a serious issue Domain privileges, local credentials.” with ▪ Results: Administrator accounts, and privileged user accounts.” Passwords are not updated ■ No track of who knows a password ■ Updating passwords brings the risk of not knowing a password in an Mandiant, M-Trends and APT1 Report emergency ■ No accountability ■ ▪ Recommendation: ■ Implement and enforce the usage of users on the proxy server
  • 7. 3) Workflow and Policy Enforcement ▪ Remote access to the proxy server is available at any time to anyone who has access to it ▪ Policies that control the access process are manual and hard to enforce ▪ Different policies exist for different users and systems ▪ Homegrown proxy servers usually do not enforce policies that consider: ■ Time of day ■ Length of remote session ■ Access request reason ■ Manager’s approval ▪ Homegrown proxy servers do not keep any kind of log about the request reason or on the approval ▪ Recommendation: Implement a proxy server with policy enforcement and dual control capability
  • 8. 4) Monitoring and Control ▪ Once access is granted, there is very little control over what the remote user is actually doing ▪ There is no real time over-the-shoulder monitoring capability ▪ No real records of everything that is being done during a remote session ▪ No quick and easy capability to terminate a remote session immediately ▪ Recommendation: ■ ■ The proxy server should allow a certified supervisor to monitor and control real-time remote sessions The proxy server should be able to video record the session for future review
  • 9. 5) Are You Sure There Are No Bypasses? ▪ The Million Dollar Question: ■ Are you sure there is no other way to access the critical devices on the critical network? ▪ If the proxy is bypassed, the last line of defense is the privileged account password ▪ Passwords tend to be guessed, stolen, hijacked, found or even given away ▪ Recommendation: ■ Privileged passwords should be stored, managed and only known to the proxy server itself
  • 10. 6) Analytics and SIEM Integration ▪ Malicious activity passing through the proxy server can continue for long periods while going undetected ▪ A typical proxy server is not capable of detecting anomalies in remote connections made through it ▪ Recommendation: ■ ■ The proxy server should be able to compare current remote access activity to historical activity in real time Detection of anomalies as they happen allows the incident response team to respond and disrupt the attack
  • 11. Securing Remote Access into ICS Networks CyberArk’s Privileged Session Manager (PSM)
  • 12. Securing Access Into the ICS/OT Network Corporate Network Corporate User VPN DMZ firewall Web Portal Third party vendor Supervisor DMZ PSM ICS firewall Session Recording Password ICS Network Vault Databases UNIX Servers Windows Servers Routers & Switches SCADA Devices
  • 13. Summary ▪ Remote Access – Many critical networks need some type of remote access ▪ It is better to implement a secure remote access solution than to ignore the need for one and end up using non-secure methods ▪ NERC CIP v5 includes new requirements for the proxy server (the intermediate device) – use the new requirements to build the appropriate solution ▪ Align your secure remote access methods with privileged password management to minimize the risk of attack
  • 14. Questions?
  • 15. Thank You! Yariv Lenchner Sr. Product Manager CyberArk yarivl@cyberark.com www.cyberark.com