Full Report
This blog is part of a blog series detailing best practices for operational technology (OT) cybersecurity for under-resourced organizations by... The post OT Cybersecurity Best Practices for SMBs: Identity and Access Management in OT first appeared on Dragos.
Analysis Summary
# Best Practices: Operational Technology (OT) Identity and Access Management (IAM) for Under-Resourced Organizations
## Overview
These practices detail fundamental Identity and Access Management (IAM) principles and their application within Operational Technology (OT) environments, specifically tailored to assist under-resourced organizations (SMBs) lacking sufficient financial resources or technical expertise in establishing minimum baseline cybersecurity protections. IAM focuses on managing user identities and controlling their access to organizational resources across four pillars: Identity Lifecycle Management (ILM), Access Control (AC), Authentication and Authorization (AA), and Identity Governance (IG).
## Key Recommendations
### Immediate Actions
1. **Establish Identity Attributes:** Begin documenting essential attributes for all user and service identities (e.g., full name, username(s), job title, assigned permissions) for systems within the OT environment.
2. **Define Service Account Management Triggers:** Document the specific circumstances that will trigger a mandatory credential change for service accounts (e.g., departure of an associated employee, suspicion of compromise, minimum annual rotation).
3. **Prioritize Critical Account Logging:** Immediately configure logging and alerting specifically for **service accounts** to detect and flag any attempted interactive logins against them.
### Short-term Improvements (1-3 months)
1. **Implement Granular Access Control:** Transition away from granting universal privileges. Begin mapping user roles to required access based on job function, utilizing Role-Based Access Control (RBAC) principles where possible.
2. **Formalize HR/OT Offboarding Synchronization:** Develop and document a clear, integrated process to ensure that when an employee departs or changes roles, their access credentials for OT assets are reviewed and suspended/revoked simultaneously with IT actions.
3. **Initiate Auditing Processes:** Begin reviewing current access rights against established job roles (a core component of Identity Governance) to identify and remediate excessive or unnecessary permissions.
### Long-term Strategy (3+ months)
1. **Automate Identity Lifecycle Processes:** Explore and implement mechanisms to automate the creation, modification, and suspension of user accounts to reduce manual errors and latency in access revocation.
2. **Formalize Identity Governance Policies:** Develop formal policies covering password complexity, enhanced logging requirements (especially for administrative and service accounts), and documentation necessary to support required auditing.
3. **Incorporate Supply Chain Risk into IAM:** For larger organizations, integrate the security posture of critical OT suppliers into your risk assessment, considering how their IAM failures might impact your operations, and actively promote OT-CERT resources to them.
## Implementation Guidance
### For Small Organizations
- **Focus on Manual Documentation:** Since automation may be unaffordable, establish robust, **manual** checklists and procedures for ILM (creation/deactivation) and immediately document the process for rotating service account credentials.
- **Leverage Free Resources:** Join and utilize the free resources provided by Dragos OT-CERT, such as assessments and toolkits, to build foundational knowledge without hiring external experts.
- **Use Simple RBAC:** Start by defining 3-5 distinct core roles within the OT environment (e.g., Operator, Maintenance Technician, Engineer, Administrator) and assign access strictly based on those roles.
### For Medium Organizations
- **Pilot Automation Tools:** Evaluate low-cost or open-source tools to begin automating routine ILM activities, particularly synchronization between HR systems (if available) and OT user directories.
- **Enhance Service Account Monitoring:** Deploy centralized logging solutions (leveraging OT-CERT toolkits if necessary) to ensure service account activity is aggregated, monitored, and alerted upon.
- **Develop Formal IG Documentation:** Draft formal policies for password complexity and retention, ensuring they are communicated to all OT personnel.
### For Large Enterprises
- **Supply Chain Security Integration:** Actively quantify the likelihood and operational impact of successful cyberattacks against critical OT suppliers, using this data to inform risk models and mitigation strategies.
- **Promote Shared Standards:** Proactively share OT cybersecurity best practice guidance, including IAM principles, with critical suppliers to raise the overall ecosystem security posture.
- **Mature Governance & Compliance:** Ensure IG processes demonstrate evidence gathering through logging that specifically meets the requirements of relevant compliance standards (e.g., GDPR, PCI DSS) beyond minimum operational needs.
## Configuration Examples
* **Service Account Credential Rotation:** Implement a policy requiring credential rotation for high-privilege service accounts:
* Annually, minimum.
* Immediately upon termination of any employee possessing knowledge of the credentials.
* Immediately upon detection of anomalous behavior or suspected compromise.
* **Service Account Access Restriction:** Configure system policies to explicitly deny interactive logins for all service accounts (i.e., only allow non-interactive service execution).
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Primarily addresses the **Identify (ID)** function (Asset Management, Risk Assessment) and the **Protect (PR)** function (Identity and Access Management).
- **ISO/IEC 27001/27002:** Relevant controls covering Information Access Restriction and User Access Management.
- **CIS Controls:** Applicable controls focus on Inventory and Control of Enterprise Assets and Control of Account Permissions.
- **Regulatory Standards (If applicable, e.g., GDPR, PCI DSS):** Identity Governance processes must ensure logs gather necessary evidence to support required auditing policies.
## Common Pitfalls to Avoid
- **Treating all Accounts the Same:** Failing to differentiate between human user accounts and service accounts, leading to inadequate lifecycle management and monitoring for high-risk service accounts.
- **Over-Permissioning:** Granting overly broad permissions using generic group accounts instead of assigning granular, role-based access (violates the principle of Least Privilege).
- **Ignoring HR Offboarding Gaps:** Relying solely on IT notifications, which often fail to reach the OT team in time, leaving dormant, active accounts in the control system environment.
- **Assuming Internal Security is Sufficient:** Larger organizations must avoid the pitfall of believing internal security improvements insulate them from risks stemming from insecure suppliers or third parties.
## Resources
- **Dragos OT-CERT Membership:** Free enrollment available for OT asset owners and operators to access a growing library of resources.
- **OT-CERT Toolkit Examples:** Resources available through OT-CERT memberships include:
* OT Asset Management Toolkit
* Secure Remote Access Toolkit
* Host-Based Logging and Centralized Logging Toolkits