Centralised user authentication system, LDAP in ICS
The management of users and their passwords is one of the great challenges of the moment in industrial control systems due, in part, to the awareness and maturity, as far as cybersecurity is concerned, of those responsible for industrial security systems. In addition to this awareness, the main good practice guidelines and international security standards require a centralised system for user management.
One of the main security references, to give an example of a security requirement, which many sectors choose when making a secure design, is IEC 62443, which has in its Part 4-2:
- Part 4-2: Technical security requirements for IACS components - 5.5 CR 1.3 – Account management: "Devices must have the ability to support the administration of all accounts directly or integrated into a centralised system that manages those accounts, in accordance with 62443-3-3".
The centralised management of users and their passwords is of great help when applying security policies, since it allows, among many other functionalities, to manage parameters simply, such as the management of the complexity of stored passwords, to ensure compliance with our security policy, the expiration time of passwords or the obligation to renew them, as well as the management of user registrations and cancellations or changes of user roles, hitherto unmanageable in the industrial sector.
Being aware of the improvements brought by using this type of centralised management, we often do not see the complexity or the decisions during the design phase that involves the implementation of this type of services in the industrial sector.
The first decision we must make is about the type of centralised management to be implemented. Is an AAA (Authentication, Authorisation and Accounting) server necessary? Or do we simply opt for a password directory by using the LDAP (Lightweight Directory Access Protocol) protocol?
There are significant differences between an AAA server, such as RADIUS, and a password management server by directory, through the LDAP protocol, although it is outside the scope of this article, often in the industrial control systems, due to their heterogeneity, we must install both services in our infrastructure.
Having made the decision to set up a centralised user management server under LDAP, we need to be clear about our network architecture design, starting with a detailed analysis of the devices that need access to it, as well as the limitations of our industrial control system. Spending time analysing all possibilities, assessing their security risks and defining a correct segmentation, will be key to future security.
Network architecture, Purdue levels. Where do I put you, LDAP?
The guidelines to best safety practices and international standards assign level 3 “Site Manufacturing Operations and Control”, if our reference is the pyramid of SP-99 (Purdue levels).
- LDAP in the pyramid of Purdue levels. -
Access control in OT environments
Preventing unauthorised access to our OT environments, as well as following the principle of least privilege, they are two of the main access control challenges for which a centralised user management system is recommended. Industrial devices must uniquely identify users by means of an ID, just as they must apply robust password policies and be able to perform role management.
Being clear on this type of mandatory access control, we must also differentiate the areas and devices for which it would be necessary to create users and their roles or permissions.
Users and permissions for the management of the operation of an industrial control system must be different from those of the IT part. This requirement involves a segregation of the user management system, making it necessary to create a user management dedicated to the OT part. Derived from this requirement, it is necessary to analyse which devices are going to be managed through this OT centralised user management server.
All elements within an industrial control system must be managed through users and permissions of this branch of the centralised system, including users and permissions for both devices at Purdue Level 1 (PLC, RTU, DCS... ), such as devices at level 2 (HMI, Workstation, SCADA...) and those at Level 3 (Historian, Data Server...). Additionally, the control of users and roles should be extended to the management of other elements involved in the application of zone differentiation (switches, firewalls), as well as other security elements included in the industrial control system (machines or log servers, IDS ...).
At this point, all necessary users and their permits must be fully identified for the correct management of the industrial control system.
This part of defining the directory tree is key in addressing the implementation of a centralised LDAP system.
The conceptual scheme that we must recreate will be something similar to what is shown in the following diagram, in which the levels of automation and control are represented, as well as the users and permissions of their elements, which must be collected within the directory branch of LDAP users and passwords dedicated to OT.
- Diagram of LDAP use in OT environments. -
Security over LDAP
One of the details that should be considered about the implementation of the LDAP protocol is that its communications do not have a native mechanism that protects its confidentiality. Some security requirements, especially at the level of devices in areas considered critical, require protocols that ensure this confidentiality, either through communications encryption mechanisms, or through some type of countermeasure. To avoid taking actions in the future, such as point-to-point encryption, it is best to require both the LDAP customer and the LDAP server, from the beginning, to have the ability to set up a TLS (Transport Layer Security) tunnel, through a version considered safe for this, thereby increasing the security level.
The network resources, although it may seem that it is not an issue that should be considered in cybersecurity, really it is a risk that should also be assessed, especially when making decisions about which centralised user management system is most appropriate in our infrastructure.
Regarding security zones, even when defined at the segmentation level by means of firewalls, there may be the case of physical separations or changes of physical media in the transmission that involve a limitation of resources or bandwidth (MPLS networks, for example). This resource limitation will be key when locating our centralised user management system in the network and especially when choosing one or the other. The following table shows the differences in network resources between LDAP and RADIUS, which are the most-used options, although, as already mentioned, the two implementations often coexist.
- Differences in network resources between LDAP and RADIUS. -
Availability is essential in industrial devices, so doubts often arise about how to manage the loss of communication with a centralised user management system through LDAP, since it would result in the inability to log in to the device.
There are different approaches to solve this type of situations. The main one will be to consider redundant systems, this must be possible to demand to our industrial systems and ideally at least two servers would be configured, whether the same or different (Primary and Secondary). If these systems are considered critical, there must be an emergency procedure in the face of the loss of connection with these servers.
This emergency procedure can be configured by means of an authentication chain that, as in the case of secondary servers, it must be possible to demand, that is, to have a configuration option through which, in the event of losing control with LDAP server, it is possible to go the next link in the authentication chain. This option of access through an emergency username, as in other solutions, provides a previously logged username “memory”, with which it will be possible to connect despite not having a connection.
Verifying this type of authentication chains is a task of the primary cybersecurity officer, prior to the implementation of any centralised user management system.
Centralised user management, in addition to being a requirement in many of the regulations and good safety practice guidelines, solves one of the greatest inherited weaknesses in industrial control systems. This weakness was due to the use of generic passwords by all people in need of access to such device. Usually this security weakness was associated with the low or nil capacity of industrial devices to manage RBAC, resulting in an incorrect application of the least privilege and unique ID principles.
Having the possibility of identifying the user/machine that has performed a specific action is of great value in response to incidents, so having this type of centralised user management systems involves increasing the resilience of our industrial devices in the face of a incident.