Note from Tom: This is a sponsored blog post, one of at least two (the second will come out early next week). This is only the second time I’ve done a sponsored post, so I don’t undertake these lightly. XTec is the leading (dominant might be a better word) supplier of PIV card-based IDMS to federal government agencies. In many conversations with XTec as I was developing these posts, I was very impressed with them as a company, but also with the benefits of PIV card technology in general. I of course knew that this was a big thing with the Feds, but I never really thought about whether it would have advantages for the electric power sector. I hope this post will convince your organization to contact XTec (slindsay@xtec.com) to discuss this further.
Why should you use a PIV card-based IDMS?
Every organization needs to manage identity information and
access to physical and logical resources for their employees. Initially this process is manual. For
example, Joe or Mary at the front desk knows everybody in the organization and
will never let someone in who they don’t know, or who isn’t escorted by someone
they do know.
However, as they grow most organizations realize they need
an automated system, which we call an Identity Management System (IDMS). This
is especially important once the organization begins to have a significant
number of computer workstations. There is no way that Joe can constantly walk
around to make sure that nobody is using a system they’re not supposed to be
using. Joe doesn’t scale – and he especially can’t make sure that anybody who
accesses a workstation remotely is actually an employee or authorized
contractor, not a foreign hacker.
Because of this inevitable progression of needs, most
organizations now have an IDMS. In fact, most of them have two IDMS. One is for
physical access to buildings and other facilities, which requires a card swipe;
of course, this IDMS is called a PACS. The other is for logical access to
computers and the networks they’re attached to and requires knowledge of a
password. This leads to a number of problems.
The first problem is that having separate means of
authenticating physical and logical access is much harder to manage than is a
single system and can lead to confusion and missteps. For example, suppose an
employee is terminated from the company and their logical system access is immediately
removed. However, their physical access to one or more facilities remains
intact because somebody forgot to tell the physical security people to disable
it. This means the now-former employee may still be able to get inside a
facility and cause physical or even human damage in revenge for their firing.
The second problem is much larger: the need to use passwords
for authentication to computers and other cyber assets. While physical access
now usually requires just swiping a card, logical access to computers is still
overwhelmingly based on passwords. There are many problems with passwords, but
the most fundamental is the contradiction between
·
The fact that more secure passwords are longer
and more complex, and
·
The fact that longer and more complex passwords
are harder to remember.
This contradiction manifests itself in a number of ways,
including:
1.
Because most computer users have to remember
passwords for access to a variety of systems - both at work and even more in
their personal lives - they tend to reuse passwords. The result is that a
breach at an employee’s favorite gaming site may result in a breach of your
organization’s network, simply because the employee used the same password for
both.
2.
While all organizations, including electric
utilities, require some degree of complexity in passwords, they are always
cognizant of the fact that requiring too much complexity makes it harder for
users to log in and increases the chance that they will be unsuccessful. This
is especially important in the electric power industry, where being unable to
quickly log into a system in an emergency could lead to an outage or worse.
3.
Electric utilities often face the issue, in
control centers, substations and generating stations, that multiple people –
often more than a small number - will need access to one system at different
times; sometimes this will be due to an emergency. For this reason, most
utilities have shared passwords that need to be a) simple enough that they can
be easily remembered by all who use them, or else b) written down where they
are easily discoverable (e.g. in a substation control house). Of course,
neither of these is an attractive option, which means that shared passwords are
a continuing problem for the electric power industry.
4.
When a user feels pressure to quickly log into a
system – perhaps due to an emergency grid situation that needs to be addressed
immediately – they are often more likely to “fat-finger” or forget their
password. If lockout is set to occur after a small number of login attempts
(which is a best practice, of course), this will lead to the perverse effect
that, the greater the degree of urgency in the situation, the more likely it is
that the user won’t be able to access the important system.
It was due to problems like these that in 2004 the US
government adopted a standard approach for identity and access management
across all agencies and the military under Homeland Security Presidential
Directive-12, or HSPD-12. The government needed a means by which it could
identify employees with a high degree of certainty, plus have a credential to
quickly and securely authenticate and authorize personnel. XTec was a
significant contributor to the standards that fall under HSPD-12 and is now the
largest provider of Personal Identity Verification, or PIV, solutions to the
federal government.
All federal agencies have been utilizing PIV and CAC (the
military version of PIV) cards to authenticate employees and contractors for
many years. This technology has been proven through widespread use. In fact, all
nuclear power plants are already using PIV cards, as well as several large
federally owned electric utilities. The federal government has in large part
solved problems that electric utilities are still struggling with, most
significantly the operational and CIP compliance problems that come with reliance
on passwords.
1.
Multi-factor authentication: The PIV smart card
includes three authentication factors: possession of the card and its embedded X.509
certificate, a PIN, and a fingerprint template. Every time a user enters a
building or uses a computing resource protected by XTec, any or all of these
three factors can be used to authenticate them based upon security levels.
2.
Validation: The certificate is validated
whenever the user logs on to a protected computer system. XTec validates a user
and their credential through a set of Online Certificate Status Protocol (OCSP)
responders and Certificate Revocation Lists (CRL). This real time status check
ensures that an electric utility can be confident that only proper personnel
will be granted access.
3.
Authorization: The same console (AuthentX) that
is used for authorizing access to particular systems is used to authorize
access to physical facilities, including buildings. Authorization levels can be
tied into Microsoft AD or other servers. Because qualification information can
be stored in the certificate, permission-based certificates can also be used as
additional identifiers for employees, for participation in particular
activities or access to particular network locations. Permission-based certificates can be stored
on the card and can record qualifications or completed trainings that may be
used to determine what tasks the user is authorized to perform.
Organizations that use PIV card technology can provide a
single card to employees and contractors, which controls both physical access
to facilities and logical access to systems. Moreover, there is a single Identity
Management System - AuthentX. Whenever a new user is provisioned, they are
provided both physical and logical access. Your organization has granular
control over the specific facilities and systems they’re allowed to access. And
when they are removed from the system, both physical and logical access are
immediately disabled.
Even more importantly, the PIV card solves the password
problems described above:
1.
There is no need to remember a password for
logical access, so the problem with password reuse goes away.
2.
There is no way an attacker could “guess” a
user’s digital certificate. This means that the required PIN (stored on the
card) can be very simple. Thus, password complexity is no longer an issue.
3.
Because the only thing a user needs to remember
is their own PIN, there is no need for shared passwords. Access to either a
building or a system requires just inserting the card, entering the PIN, and for
high risk areas an additional third factor: (usually) placing a finger on the
fingerprint scanner.
4.
Because of the construction of the PIV card
itself, it cannot be counterfeited or tampered with.
5.
The problem of fat-fingering or forgetting passwords
goes away, since the user only has to remember a simple PIN.
Why should you use the XTec IDMS solution?
These are the most important reasons why you should choose
XTec as your PIV card-based Identity Management Solution:
First, XTec offers the most secure Identity Management
System product on the market. The reasons for this include:
a.
All data is encrypted at rest and in transit.
Only secure communications are used and all media use encrypted drives, which
are destroyed after use.
b.
AuthentX utilizes a certificate issuance
infrastructure based on FPKI (Federal Public Key Infrastructure). All digital
certificates come from an established environment of trust. All portions of
this certificate issuance architecture are protected by stringent policies and
practice statements.
c.
XTec’s AuthentX (IDMS) and PACS system with
XNodes are provided as sealed, single-purpose systems; all appliances are
purpose-built to prevent tampering. XTec does all updating and patching automatically.
d.
XTec’s PIV cards can’t be tampered with (without
invalidating them) or counterfeited.
e.
XTec’s solution, AuthentX, resides in three
geographically dispersed high security data centers and holds a FedRAMP High
certification.
Second, XTec follows published and open standards, as put
forth by NIST and the federal government. An organization using XTec is not committing
to a proprietary technology. The system
can interoperate with other vendors’ PIV cards, and XTec cards will be accepted
by other organizations’ PIV-based IDMS. This is especially important during
emergencies if government agencies need to be granted access (i.e. FEMA, CISA,
DHS, US military or National Guard) to your assets, since their employees also
carry PIV/CAC cards.
Third, XTec can be used for just about all identification
and authorization needs, including access to both IT and OT systems, access to
buildings and other physical facilities, and authentication during emergency
recoveries. The card itself is often worn inside a lanyard; it can be used as a
generic flash pass, as it contains a logo and a personal image.
Fourth, because XTec PIV cards contain three authentication
factors, they can be used to securely authenticate Interactive Remote Access
(IRA), whether into NERC CIP-protected Electronic Security Perimeters, IT
networks, or Distribution OT networks. And because most VPN software supports
X.509 certificates, nobody other than the proper person can ever initiate an
IRA session, if the machine they’re using is protected by PIV card
authentication.
Fifth, the certificate on a user’s PIV card can be used to
digitally sign emails. With phishing and ransomware attacks on the rise, and especially
with an increased number of employees working remotely, locking down emails is
a top priority for all organizations, especially utilities.
Sixth, XTec provides an ideal solution for allowing access
to contractors: Issue them a badge and grant access only when and where it is
required. If a contractor works for other customers who use PIV cards, they can
use their XTec card to access those facilities as well, whether or not they are
also XTec customers.
Seventh, if your utility sometimes has to quickly onboard
workers from other utilities or from contractors to help recover from an emergency
like a hurricane or flooding, you will be able to benefit from XTec’s long
association with the Federal Emergency Management Association (FEMA). In
incidents like Superstorm Sandy, XTec has set up mobile stations to enroll and
provide special-purpose PIV cards to guest workers, as well as authenticate existing
employees. XTec can do the same for you. For more information on using Xtec for
emergency response, see next Monday’s (December 14) blog post or the white
paper on Mutual Aid, available at http://www.xtec.com/solutions/critical-infrastructure.html.
Last but certainly not least, XTec can save your NERC CIP
compliance team huge amounts of time and effort in documenting compliance with at
least 36 NERC CIP requirement parts applicable to high, medium and low impact
BES Cyber Systems. This includes all requirements having to do with passwords,
since XTec can eliminate the need for system passwords in your environment. See
the white paper “How XTec can help you comply with NERC CIP requirements”,
available at http://www.xtec.com/solutions/critical-infrastructure.html.
To learn more about how XTec can help secure your
organization, email Steve Lindsay at slindsay@xtec.com.
Steve and Danny Vital of XTec are presenting two webinars to introduce XTec to
the electric power industry this month. One is part of (virtual) Distributech
on Dec. 18; you can sign up here.
The other is part of (virtual) PowerGen on Dec. 14; the signup for that webinar
is here.
No comments:
Post a Comment