Tuesday, December 8, 2020

What you should know about PIV cards

Note from Tom: This is a sponsored blog post, one of at least two (the second will come out early next week). This is only the second time I’ve done a sponsored post, so I don’t undertake these lightly. XTec is the leading (dominant might be a better word) supplier of PIV card-based IDMS to federal government agencies. In many conversations with XTec as I was developing these posts, I was very impressed with them as a company, but also with the benefits of PIV card technology in general. I of course knew that this was a big thing with the Feds, but I never really thought about whether it would have advantages for the electric power sector. I hope this post will convince your organization to contact XTec (slindsay@xtec.com) to discuss this further.

 

Why should you use a PIV card-based IDMS?

Every organization needs to manage identity information and access to physical and logical resources for their employees.   Initially this process is manual. For example, Joe or Mary at the front desk knows everybody in the organization and will never let someone in who they don’t know, or who isn’t escorted by someone they do know.

However, as they grow most organizations realize they need an automated system, which we call an Identity Management System (IDMS). This is especially important once the organization begins to have a significant number of computer workstations. There is no way that Joe can constantly walk around to make sure that nobody is using a system they’re not supposed to be using. Joe doesn’t scale – and he especially can’t make sure that anybody who accesses a workstation remotely is actually an employee or authorized contractor, not a foreign hacker.

Because of this inevitable progression of needs, most organizations now have an IDMS. In fact, most of them have two IDMS. One is for physical access to buildings and other facilities, which requires a card swipe; of course, this IDMS is called a PACS. The other is for logical access to computers and the networks they’re attached to and requires knowledge of a password. This leads to a number of problems.

The first problem is that having separate means of authenticating physical and logical access is much harder to manage than is a single system and can lead to confusion and missteps. For example, suppose an employee is terminated from the company and their logical system access is immediately removed. However, their physical access to one or more facilities remains intact because somebody forgot to tell the physical security people to disable it. This means the now-former employee may still be able to get inside a facility and cause physical or even human damage in revenge for their firing.

The second problem is much larger: the need to use passwords for authentication to computers and other cyber assets. While physical access now usually requires just swiping a card, logical access to computers is still overwhelmingly based on passwords. There are many problems with passwords, but the most fundamental is the contradiction between

·        The fact that more secure passwords are longer and more complex, and

·        The fact that longer and more complex passwords are harder to remember.

This contradiction manifests itself in a number of ways, including:

1.      Because most computer users have to remember passwords for access to a variety of systems - both at work and even more in their personal lives - they tend to reuse passwords. The result is that a breach at an employee’s favorite gaming site may result in a breach of your organization’s network, simply because the employee used the same password for both.

2.      While all organizations, including electric utilities, require some degree of complexity in passwords, they are always cognizant of the fact that requiring too much complexity makes it harder for users to log in and increases the chance that they will be unsuccessful. This is especially important in the electric power industry, where being unable to quickly log into a system in an emergency could lead to an outage or worse.

3.      Electric utilities often face the issue, in control centers, substations and generating stations, that multiple people – often more than a small number - will need access to one system at different times; sometimes this will be due to an emergency. For this reason, most utilities have shared passwords that need to be a) simple enough that they can be easily remembered by all who use them, or else b) written down where they are easily discoverable (e.g. in a substation control house). Of course, neither of these is an attractive option, which means that shared passwords are a continuing problem for the electric power industry.

4.      When a user feels pressure to quickly log into a system – perhaps due to an emergency grid situation that needs to be addressed immediately – they are often more likely to “fat-finger” or forget their password. If lockout is set to occur after a small number of login attempts (which is a best practice, of course), this will lead to the perverse effect that, the greater the degree of urgency in the situation, the more likely it is that the user won’t be able to access the important system.

It was due to problems like these that in 2004 the US government adopted a standard approach for identity and access management across all agencies and the military under Homeland Security Presidential Directive-12, or HSPD-12. The government needed a means by which it could identify employees with a high degree of certainty, plus have a credential to quickly and securely authenticate and authorize personnel. XTec was a significant contributor to the standards that fall under HSPD-12 and is now the largest provider of Personal Identity Verification, or PIV, solutions to the federal government.

All federal agencies have been utilizing PIV and CAC (the military version of PIV) cards to authenticate employees and contractors for many years. This technology has been proven through widespread use. In fact, all nuclear power plants are already using PIV cards, as well as several large federally owned electric utilities. The federal government has in large part solved problems that electric utilities are still struggling with, most significantly the operational and CIP compliance problems that come with reliance on passwords.

XTec’s AuthentX IDMS for Utilities is based on the same technology that secures the government. It provides three primary services:

1.      Multi-factor authentication: The PIV smart card includes three authentication factors: possession of the card and its embedded X.509 certificate, a PIN, and a fingerprint template. Every time a user enters a building or uses a computing resource protected by XTec, any or all of these three factors can be used to authenticate them based upon security levels.

2.      Validation: The certificate is validated whenever the user logs on to a protected computer system. XTec validates a user and their credential through a set of Online Certificate Status Protocol (OCSP) responders and Certificate Revocation Lists (CRL). This real time status check ensures that an electric utility can be confident that only proper personnel will be granted access.

3.      Authorization: The same console (AuthentX) that is used for authorizing access to particular systems is used to authorize access to physical facilities, including buildings. Authorization levels can be tied into Microsoft AD or other servers. Because qualification information can be stored in the certificate, permission-based certificates can also be used as additional identifiers for employees, for participation in particular activities or access to particular network locations.  Permission-based certificates can be stored on the card and can record qualifications or completed trainings that may be used to determine what tasks the user is authorized to perform.

Organizations that use PIV card technology can provide a single card to employees and contractors, which controls both physical access to facilities and logical access to systems. Moreover, there is a single Identity Management System - AuthentX. Whenever a new user is provisioned, they are provided both physical and logical access. Your organization has granular control over the specific facilities and systems they’re allowed to access. And when they are removed from the system, both physical and logical access are immediately disabled.

Even more importantly, the PIV card solves the password problems described above:

1.      There is no need to remember a password for logical access, so the problem with password reuse goes away.

2.      There is no way an attacker could “guess” a user’s digital certificate. This means that the required PIN (stored on the card) can be very simple. Thus, password complexity is no longer an issue.

3.      Because the only thing a user needs to remember is their own PIN, there is no need for shared passwords. Access to either a building or a system requires just inserting the card, entering the PIN, and for high risk areas an additional third factor: (usually) placing a finger on the fingerprint scanner.

4.      Because of the construction of the PIV card itself, it cannot be counterfeited or tampered with.

5.      The problem of fat-fingering or forgetting passwords goes away, since the user only has to remember a simple PIN.

Why should you use the XTec IDMS solution?

These are the most important reasons why you should choose XTec as your PIV card-based Identity Management Solution:

First, XTec offers the most secure Identity Management System product on the market. The reasons for this include:

a.      All data is encrypted at rest and in transit. Only secure communications are used and all media use encrypted drives, which are destroyed after use.

b.      AuthentX utilizes a certificate issuance infrastructure based on FPKI (Federal Public Key Infrastructure). All digital certificates come from an established environment of trust. All portions of this certificate issuance architecture are protected by stringent policies and practice statements.

c.      XTec’s AuthentX (IDMS) and PACS system with XNodes are provided as sealed, single-purpose systems; all appliances are purpose-built to prevent tampering. XTec does all updating and patching automatically.

d.      XTec’s PIV cards can’t be tampered with (without invalidating them) or counterfeited.

e.      XTec’s solution, AuthentX, resides in three geographically dispersed high security data centers and holds a FedRAMP High certification.  

Second, XTec follows published and open standards, as put forth by NIST and the federal government. An organization using XTec is not committing to a proprietary technology.  The system can interoperate with other vendors’ PIV cards, and XTec cards will be accepted by other organizations’ PIV-based IDMS. This is especially important during emergencies if government agencies need to be granted access (i.e. FEMA, CISA, DHS, US military or National Guard) to your assets, since their employees also carry PIV/CAC cards.

Third, XTec can be used for just about all identification and authorization needs, including access to both IT and OT systems, access to buildings and other physical facilities, and authentication during emergency recoveries. The card itself is often worn inside a lanyard; it can be used as a generic flash pass, as it contains a logo and a personal image.

Fourth, because XTec PIV cards contain three authentication factors, they can be used to securely authenticate Interactive Remote Access (IRA), whether into NERC CIP-protected Electronic Security Perimeters, IT networks, or Distribution OT networks. And because most VPN software supports X.509 certificates, nobody other than the proper person can ever initiate an IRA session, if the machine they’re using is protected by PIV card authentication.

Fifth, the certificate on a user’s PIV card can be used to digitally sign emails. With phishing and ransomware attacks on the rise, and especially with an increased number of employees working remotely, locking down emails is a top priority for all organizations, especially utilities.

Sixth, XTec provides an ideal solution for allowing access to contractors: Issue them a badge and grant access only when and where it is required. If a contractor works for other customers who use PIV cards, they can use their XTec card to access those facilities as well, whether or not they are also XTec customers.

Seventh, if your utility sometimes has to quickly onboard workers from other utilities or from contractors to help recover from an emergency like a hurricane or flooding, you will be able to benefit from XTec’s long association with the Federal Emergency Management Association (FEMA). In incidents like Superstorm Sandy, XTec has set up mobile stations to enroll and provide special-purpose PIV cards to guest workers, as well as authenticate existing employees. XTec can do the same for you. For more information on using Xtec for emergency response, see next Monday’s (December 14) blog post or the white paper on Mutual Aid, available at http://www.xtec.com/solutions/critical-infrastructure.html.

Last but certainly not least, XTec can save your NERC CIP compliance team huge amounts of time and effort in documenting compliance with at least 36 NERC CIP requirement parts applicable to high, medium and low impact BES Cyber Systems. This includes all requirements having to do with passwords, since XTec can eliminate the need for system passwords in your environment. See the white paper “How XTec can help you comply with NERC CIP requirements”, available at http://www.xtec.com/solutions/critical-infrastructure.html.

To learn more about how XTec can help secure your organization, email Steve Lindsay at slindsay@xtec.com. Steve and Danny Vital of XTec are presenting two webinars to introduce XTec to the electric power industry this month. One is part of (virtual) Distributech on Dec. 18; you can sign up here. The other is part of (virtual) PowerGen on Dec. 14; the signup for that webinar is here.

 

No comments:

Post a Comment