Introduction to the Two-Factor Authentication
Today there are a series of tasks, such as the update of software, maintenance work or changes to configuration, which are carried out periodically and are necessary for the system to function correctly. On occasions it is possible for these tasks to be carried out remotely and by individuals external to the organisation (e.g. manufacturers or engineers). This access may be performed in a non-secure way or from an environment that may have been compromised and it is particularly in these cases where it is recommended to implement two-factor authentication (2FA).
This access control measure is not new; it has been used for some time in IT systems but with the arrival of Industry 4.0 and new interconnections between control systems and other areas, it is necessary to implement measures that provide certain controls on access to these systems. Applying different mechanisms to perform authentication adds another more secure layer to access, as attackers will need to overcome both mechanisms to access the system.
Traditionally, access was controlled using a username and password. This combination allows us to identify ourselves (say who we are) and authenticate ourselves (that we are who we say we are). If, to this username/password combination we add “something we have” (e.g. a USB token) or “something we are” (e.g. fingerprint or facial recognition), this would be two-factor authentication, which should not be confused with two-step authentication, as in the first case two “pieces” are needed (a piece of information and a piece of a physical element), while in the second case, the authentication is carried out in two phases, for example, where we receive a confirmation email or a code by SMS.
On the website TwoFactorAuth.org you can find a list of many of the applications and third-party services available that allow for two-factor authentication and from where you can check the online services that allow for their use as well as the mechanism used (e.g. SMS, email, telephone call, Token Hardware or Token Software).
It is possible that some industrial control system environments, due to their nature, require a connection with or from cloud services (e.g. certain services of some manufacturers in the industrial sphere) in which it would be advisable to activate 2FA mechanisms (e.g. Token Software).
Token Based on Software or Hardware
Today, the most widely used two-factor authentication mechanism is a random code generated by a physical token or based on software.
These tokens perform a cryptographic operation, the result of which is a single unique code. This operation is executed every certain period and provides codes with a temporary duration (e.g. 1 minute). Moreover, the final code is generated based on the time and protocol (OTP).
The physical tokens, such as RSA SecurID or YubiKey tokens are lesser used as, based as they are on card or keyring type hardware they have an additional cost. On the other hand, there are token solutions based on software, such as Google Authenticator, which are free and even offer the possibility of a mobile application.
By including two factors, the communication flow is altered, as in order to initiate the session in a service, the OTP code generated by said access must be used in addition to the username/password combination.
At present there are several solutions based on token software that might be used to deploy a two-factor solution based on authentication.
- Google Authenticator:is a mobile application based on two-factor authentication which uses the Time-based One-Time Password algorithm (TOTP) and the HMAC-based One-time Password algorithm (HOTP) to authenticate the users. There is a PAM module for installation on Linux systems and authentication against RADIUS systems.
- Authy: Open Source multi-platform application: iPhone, Android, or desktop and offers three authentication combinations: Authy SoftToken, Authy OneCode and Authy OneTouch.
- Yubiko: solution based on hardware called YubiKey. It is a small hardware device that activates two-factor authentication with the simple touch of a button.
- DUO: allows users to protect their logins and transactions through smartphones and the application can be used offline. It is compatible with Linux and Windows systems. For example, in Windows it would be possible for RDP connections.
Two-Factor Authentication in Remote Access
All external access to control systems must be duly protected, controlled, monitored and registered, therefore it is important to know the devices from which these accesses are made and if they are duly authorised. Insofar as possible and if the infrastructure allows it, the control of authorised devices shall be performed using the 802.1x protocol together with a centralized authentication service (e.g. Active Directory). Moreover, for the VPN it would be convenient to add an encrypted layer using SSL.
Nevertheless, to increase the level of security in external access, it would be recommendable to add a second factor, which would also be deployed in SCADA applications, operator stations, visualised desktops, remote desktop access or other elements that are considered critical for OT infrastructure.
Below is the authentication flow for external access carried out via VPN which consists of a two-factor authentication system. The summarised process would be:
- Authentication with username and password in the domain controller
- The domain controller verifies credentials
- If correct, request two-factor identification using a token
- The user verifies by a two-factor process
- The system grants access to the VPN
It is advisable to implement two-factor authentication in all services considered critical, such as, for example, SCADA or auxiliary security services, and always where remote access is required. Where it is not possible to implement these mechanisms in said systems, it is recommended that you limit access to same and increase monitoring of access. The use of a password manager to support 2FA should also be considered.
Deployment of two-factor authentication will allow for the mitigation, to a great extent, of more common attacks to steal access credentials to critical services. Some of the vectors used by cybercriminals in trying to get their hands on access to these systems through theft of user identity or legitimate machines are:
- Phishing campaigns to steal credentials.
- Exploitation of 0day vulnerabilities in our systems.
- Malware infection to obtain information and steal passwords.
- Brute force and dictionary attacks against different systems.
In these cases, if a potential attack is successfully launched and a two-factor system has to be deployed, the attack itself would not allow control of the system(s) to be obtained, as it would be necessary to obtain the second authentication factor to access the system.
2FA and remote access control is a strategic element of depth and all policies and best practice in international standards and best practice guides.
Finally, it must be stated that 100% security does not exist and, even though a cybersecurity strategy might increase the level of protection of a company, we must always be are prepared to mitigate, in the shortest time possible, new vulnerabilities and attack vectors can be used in subsequent attacks.