Risk Accepted Access Management ( RAAM ) from an engineering centric model written by P@ssport
Nowadays with the current status of delivering operational excellence and keeping operational costs low, remote access to devices in the field is more effective than shipping people to the plant and do monitoring on the spot.
We all know the advantages which remote access can bring to the Operational Process Automation environment by setting up efficient and effective mobile access and by using this remote access as a strategic advantage.
By using Industrial Internet Of things which can self-adjust, self-monitor and self regulate events within an operational framework you have a business edge. These devices can predict maintenance way before humans could and in that way unexpected downtime can be avoided. For example, in the fracking industry there will not be a need for a manned platform for most of the wells. When the data needs to be transported over non managed networks and processed in a datacenter which will be not on the premises you are exposed to risks. This is the same for IOT domotica and their network data flows.
These “new ” demands come with a price concerning connectivity risks and therefore need to be addressed regarding integrity, availability and confidentiality.
Looking at integrity first. Security experts will give you advice : “Know which devices you have and make sure only managed end devices, like laptops, owned by the companies that have a bootable secure image and are supplied by your organization will be used to set up remote access.” Still if the firmware is not ok… Sensible words but what if you have to give access to third parties whose end devices you don’t manage? What if the end device is communicating from a network that is not under your control ? What if the end device is using remote end point software but still stays vulnerable for attacks? It is the same as if you have shut down your ears for communication.
ISO 27002 The control objective relating to the relatively simple sub-subsection 9.4.2 “Secure log-on procedures”
When we look at availability in line with Security objectives:
ISO 27002 9.4.2. Require 2 factor authentication on remote devices suitable authentication techniques, not disclosing sensitive information at log-on time, data entry validation, protection against brute-force attacks, logging, not transmitting passwords in clear over the network, session inactivity timeouts, and access time restrictions for any remote access session.
From an ISO 27002 above is totally explainable but not from an Operational Technology standpoint, since most field devices or Internet of Things are not capable even of encryption let alone give a 2 factor handshake. They are fit for purpose and therefore minimalistic in their design and never for secure communications exactly the same as their cousins, Industrial Internet Of things devices that still use protocols which were designed in the 1970`s. They have same vulnerabilities which threaten the availability and the integrity of these devices: Insufficient Authentication/Authorization, no possibility to Transport Encryption, Insecure Web Interface, Insecure Software. You can explain it as follows: At a conference, which is a known area you have registered yourself (accessing the Operational Automation Network) you can exchange business cards with a person. What will it say about the true identity of that person? Anyone who can make business cards can impersonate the identity and the title(sales, ceo, cfo) of the person you believe is in front of you. Therefore, in real life, we have added a second authentication method which is a government issued document like a Passport. This document is so trusted that you can use it even to cross borders, book tickets and board an airplane. When was the last time you boarded a plane with your business card alone? My guess: never. Why are we then still using business cards (standard accounts) to communicate between devices? If you can’t see whether the data is trusted and by whom/which this data is delivered securely you are in the dark.
Last but not least: confidentiality: The dataflow from a plant doesn’t have any privacy related data in them so why we should be bothered with that? Well, confidentiality also means that the data being send is from the device we expected it to be generated from and not some malicious code that is being presented from an ip address we trust. This machine to machine communication is prevailing since they are all exchanging business cards but are not transparent in their connectivity requests regarding where the connection is set up from.
How do you know that the owner of the device is still in control of that device or that a malicious outsider has taken over? Or if your privacy is not sifted out of the BIG DATA your IOT wearable is sending out? You are in no position to talk about it since no communication is reported back to you because you won’t receive any signals about which data has been processed where by whom.
You will need a business card and a ” P@ssport ” to make sure the connection is legitimate and trusted. By opening our confidentiality network on firewalls we create tunnels that are encrypted and are not checked upon malicious payloads that travers with our “confidential” encrypted access requests. We don`t have a way to see if the VPN is correctly setup with our managed service providers and that their end point security is setup to meet our confidentiality demands. Do you speak with the device in trust or are you alerting dark forces?
Our engineered centric model Triple A framework will deliver those key security requirements on identity, networks, services, passwords provisioning and access mechanism capabilities to monitor and therefore prevent threats entering your network. (even zero day exploits)
With the triple A security analyses you are not providing only titles (business cards) but you are managing risks (identity thefts, malicious intents) that can be used proactive. With our engineer centric Triple A model you will be able to integrate with your current infrastructure reusing it in a simpler and more cost effective manner. You can setup a browser connection instead of managing and supplying end point devices. You can even have a secure usb stick which can be used on any device, even infected home devices. This means no configuring and maintaining complex vpn tunnels and still get infected. You can use our RAAM methodology to create new windows of opportunities with vendors and third party suppliers for a fraction of the costs of your current solutions. You can have direct access to layer three with a single sign on solution, accessible from where ever you want it.
You can have maximum security without the fears of zero day exploits or non patchable devices from our easily manageable console integrated in your own environment. These are the advantages that Risk Accepted Access Management methodology supported by the Triple A framework offer your organization.
For more advice of your IOT, devices and data and network integration within your current enterprise architecture and process automation applications or cloud applications, you can always contact us even without an info sec pro. P@ssport has done this successfully for a critical infrastructure operator enabling 27 plants to become compliant to security demands but keeping control on any remotely done work without sifting through meaningless logs of countless devices.
If you have an appetite for better and cheaper controls, more insight and the assurance that your systems keep integer call us or drop us a mail. 100% security does not exist for them but it doesn’t mean that 100 % integrity is not achieveable for you.
Peter Rus Enterprise Architect for P@ssport
Peter Rus Enterprise Architect for P@ssport