In December, I put up two sponsored
posts (which ended up getting a little overwhelmed since they came immediately
before and immediately after the SolarWinds attacks were announced) about XTec,
the leading vendor of PIV (personal identity verification) cards to the federal
government and to the military (although the military version of the card is referred
to as CAC). The introductory post is here
and a second one, dealing with how PIV cards can help in emergency response
situations, is here.
Now I’m happy to announce that I’ll
be participating in an XTec-sponsored webinar with the above title, which will
be conducted by Energy Central on April 15 from 2:00 to 3:30 PM Eastern Time
(and don’t tell me you have to do your taxes. The IRS pushed back the due date ‘til
May 17. Of course, I don’t recommend waiting until the evening of that date to start!).
Registration is here.
If you sign up but can’t make the webinar, you’ll be sent a link to the
recording afterwards.
The purpose of the webinar is twofold:
to describe the many security benefits of PIV card technology (my favorite: No
more passwords!) and to discuss specific ways in which using a PIV card-based
solution (preferably XTec’s of course, but the whole webinar focuses on the
technology itself. PIV is based on an open standard that is provided by
multiple vendors) can help a NERC entity comply with the NERC CIP standards.
The webinar identifies about 23 CIP requirement parts for which XTec can help
you meet a substantial portion of the part, or in some cases the entire part
(for example, there are at least six requirement parts for which PIV cards will
eliminate your entire compliance obligation, other than documenting why that is
the case. This is because these parts address risks due to use of passwords,
and – as I’ve already said and we’ll say repeatedly in the webinar – PIV cards
eliminate the need for passwords).
I and two XTec staff members (one
of whom, Danny Vital, will also participate in the webinar) have prepared a
white paper which is the basis for our discussion on the 15th; but if you want
to get a jump on the webinar, you can read the paper. It will be posted on XTec’s
web site
soon, but I’ve reproduced the entire paper below. See you next Thursday!
Using PIV cards to increase security
and lower CIP compliance costs
In 2004, the US government committed to a new standard for
identity and access management across all civilian and military agencies: PIV (Personal Identity Verification for
government) and CAC (Common Access Card for military) cards. Today, almost all
federal government and military personnel carry a PIV or CAC card, which authenticates
their access both to physical facilities and to systems that support their
work. (In this paper we will refer to
the technology as PIV for brevity.)
In the electric power industry, this same technology can
both make your organization more secure and greatly reduce the amount of time
and money you spend on NERC CIP compliance. In this white paper, we will discuss
the five most important ways in which PIV cards can help your organization
achieve both of these goals.
One card for
physical and logical access
One of the most important features of PIV cards is that the
user only has to carry one card. It authenticates both physical access to
buildings and other facilities, and logical access to computers and other
intelligent devices the employee uses to perform their work. Of course, this is
a big convenience for the user, since they just need to carry one card and remember
one simple PIN.
However, PIV cards are an even bigger convenience for the
organization that implements them. There are several reasons for this:
- Both physical and logical access can be
provisioned at once, based on the person’s role.
- When the person changes jobs, their previous
accesses can be quickly disabled and their new accesses immediately
provisioned.
- When the person leaves the organization, all of
their physical and logical access can be removed in one step.
Having a single access management console for both physical
and logical access can save your organization a lot of time in complying with the
following CIP requirement parts:
- CIP-004-6 R4.1 through R4.4: A single
identity management system can authorize, provision, review, and remove an
individual’s access both to systems and physical facilities. A full roles
capability makes this very easy, when roles have been defined by your
organization.
- CIP-004-6 R5.1 through R5.5: Your
organization can quickly remove access to the systems, physical facilities
and information repositories (including those for BES Cyber System
Information), to which an individual had access; this is done at a single
console and with minimal delay. You can do this whether the individual was
terminated, left voluntarily, or changed roles within the organization.
- CIP-006-6 R1.2, R1.3 and R1.8: PIV cards provide
multi-factor authentication and logging at all physical facilities.
Multi-factor
authentication
You probably already understand the principle behind
multi-factor authentication (MFA): your security is greatly enhanced if the
user needs to supply more than one “factor” whenever they enter a building or
logon to a computer. There are three types of factors:
- Something you know (a password or PIN)
- Something you have (a card that contains an
electronic identifier, or a number provided to the user via a hard or soft
security token, or a text to their cell phone)
- Something you are (a biometric “template” like a
fingerprint)
A PIV card allows use of all three of these factors in
authentication:
- Upon inserting their PIV card for access to a
building or a system, the user is prompted to enter their simple PIN –
something they know.
- The card contains an X.509 digital certificate,
which cannot be copied or altered – something the user has.
- A template of the user’s fingerprint is stored on
the card. Some PIV card readers have a fingerprint scanner, which compares
the fingerprint of the user to the fingerprint scan template that’s stored
on the card. This provides a third means of authentication – something the
user is.
With PIV cards and card readers in place, you can have
multi-factor authentication literally anywhere in your organization, i.e. a) for
access to all devices on both your IT and OT networks, and b) for access to physical
facilities including office buildings, substations, generating stations, etc. For
some systems or facilities requiring a higher level of security, you can also
require the fingerprint scan (or you might require it everywhere!). Conversely,
in lower-security situations you can require just the card, not a PIN.
One note: If you prefer contactless single-factor
authorization in some cases – e.g. doors in low-risk areas - many PIV cards
also have contactless capability, as long as contactless card readers are
deployed.
There are two CIP requirement parts that require MFA, as
well as one part where it would be a good idea, but it’s not required. If your
organization uses PIV cards, you already have everything you need to comply
with them:
- CIP-003-8 R2 Attachment 1 Section 2: PIV
cards allow your organization to implement multi-factor authentication at
low impact NERC CIP assets, as well as medium and high impact assets. This
isn’t required, but it’s certainly a best practice.
- CIP-005-6 R2.3: If the remote system (e.g.
in an employee’s home) is protected with a PIV card reader, the employee
can be multi-factor authenticated for Interactive Remote Access using
their normal card and PIN.
- CIP-006-6 R1.3: The employee’s PIV card,
PIN and (optionally) fingerprint scan provide MFA for access to High
impact Control Centers.
No passwords
Many cybersecurity professionals will tell you that the
biggest source of cyber risk in their organization is passwords. “The password is by far the weakest link in cybersecurity
today.” Michael Chertoff, former head of Homeland Security.
In other words, it is far too easy to steal or guess
passwords. Dragos said they found that about half of the energy companies in
their report used similar login credentials for both IT and OT networks, making
it much easier for the hackers to penetrate the OT network.
Passwords present a fundamental problem: They need to be as
complex as possible in order to be secure, but they also need to be as simple
to remember as possible so that users don’t write them down, use the same
password across systems and on the internet, etc. In the electric power
industry, passwords are often shared, because of the need for multiple people
to be able to quickly access the same systems at different times (for example
in substations or Control Centers).
While there are some commercial solutions available to partially
address this problem, wouldn’t it be great if you could deploy the ultimate
solution: eliminate passwords altogether? With PIV cards, you can do that! PIV
cards contain a digital certificate that is unique to the individual and can’t
be copied or altered. This, along with a simple PIN entered by the user, provides
a higher level of security than even the most complex password. And you can
always require a fingerprint scan as well, when you believe the highest level
of security is required.
There are many NERC CIP requirements that are based on
passwords; PIV cards can help you comply with all of these, probably at a much
lower cost in staff time and money than you are incurring now. Here are some of
the most important examples:
- CIP-004-6 R5.5 and CIP-007-6 R5.3 both apply
to shared accounts. If your organization deploys PIV cards to employees
(and contractors, if needed), there will no longer be any need for shared
accounts. This is because the user will only need their card and an
easy-to-remember PIN. In fact, you will always be able to require a
fingerprint scan as well, for the highest level of security.
- CIP-007-6 R5.4 requires changing default
passwords. If a system is protected with a PIV card reader, any default
password that might be on the system is irrelevant; there is no pathway to
access the system, even if a user knows the default password.
- CIP-007-6 R5.5 and R5.6 require controls
on password length and complexity as well as password changes, but they
only apply to systems with “password-only authentication”. Any system with
a PIV card reader is out of scope for both of these requirements!
- CIP-007-6 R5.7 requires limitation on the
number of unsuccessful authentication attempts. When users are
authenticated using PIV cards, there is no password for an attacker to
guess. Any attempt to use an invalid PIV card even once will be blocked
and an alert generated, as will repeated attempts to enter an invalid PIN
with a valid card.
Storing
PRA and training renewal dates on the PIV card
Beside the digital certificate and fingerprint scan template,
other information (for example, certifications) can be stored on the card and
read by the card reader to control access. Four very important pieces of
information for NERC entities are whether a user – who has been granted
electronic and/or unescorted physical access to BES Cyber Systems - has had a
personnel risk assessment and CIP training after being hired, and when each of
those was last conducted. The PRA needs to be renewed in seven years and the
training needs to be renewed at least every 15 months.
Specifically, there are three CIP requirement parts
involved:
CIP-004-6 R2.2: If the user has not yet completed
their CIP training, a new employee can be prevented from accessing High and
Medium impact BCS, EACMS and PACS, or having unescorted physical access to assets
like Medium impact substations or High impact Control Centers.
CIP-004-6 R2.3: If the employee has not renewed their
training before the renewal date, they can be prevented from accessing High and
Medium impact systems and facilities until they have renewed it. Access will automatically
be blocked starting the day after their training expires.
CIP-004-6 R3.5: If a new employee has not completed
their Personnel Risk Assessment, or if an existing employee has not renewed
their PRA in the last seven years, they can be prevented from accessing High
and Medium impact systems and facilities until they have had a new PRA.
Emergency response
When one electric utility has experienced a natural
disaster, other utilities will often provide skilled workers to help the
impacted utility recover. When this happens, it is usually quite hard for the
impacted utility to follow all of the personnel security requirements in CIP-004-6,
at the same time as they’re authorizing and authenticating emergency workers.
While a declaration of CIP Exceptional Circumstances will normally
protect the utility against any CIP violations being assessed as a result of
not strictly following the CIP-004-6 requirements, the fact remains that
emergency response situations open up a security hole that might be exploited
by a resourceful adversary.
One PIV solutions vendor has worked with federal agencies, primarily
FEMA, to develop capabilities based on PIV cards, that can mitigate much of the
security risk associated with emergency response situations. These include:
a)
Mobile enrollment and authentication facilities;
b)
Capability to accept PIV cards issued by other
organizations (government agencies, other utilities, and vendors);
c)
Capability to create a “derived credential” on a
smartphone, laptop, tablet or other mobile device; and
d)
Capability to document exactly who had access to
which facility at what time, even at the height of the crisis.
For more information on these topics, see these three white
papers:
- Enhancing your organization’s security using PIV
cards: http://www.xtec.com/media/Critical%20Infrastructure%20PIV.PDF
- 33 ways that PIV cards can help your organization
save time and money in NERC CIP compliance: http://www.xtec.com/media/Critical%20Infrastructure%20NERC%20CIP.PDF
- Use of PIV cards when Mutual Aid is required
during natural disasters: http://www.xtec.com/media/Mutual%20Aid.pdf.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
excellent commentary and resources
ReplyDelete