标准2025现在,网络空间安全对于工业生产设备的安全运行来说非常关键,但这些设备中许多装置的用户账户并没有得到妥善管理。中央用户账户管理结合基于角色的访问控制是集中有效地管理用户账户和权限的最佳途径,同时也是最先进的安全解决方案,这就消除了成百上千设备上有非托管用户账户的噩梦。
中央点操作员管理站,使用SDM600系统数据管理器控制台(照片来自于阿西亚布朗勃法瑞公司(ABB))
很多用户账户没有妥善管理
多数情况下,工厂默认工业设施设备中的用户帐户和密码是无人管理的,不会改变。共享和/或弱密码也是一个问题。
从网络空间安全的角度来看,当今世界互联互通,无论是工厂默认账户还是共享账户都存在巨大的风险,所以,二者都是不可接受的。除了考虑到网络安全问题,工厂默认账户和共享账户都会给系统控制人员带来控制系统管理方面的困扰。
修改配置会引发电力故障,但人们却无法确认是哪位员工更改了配置,因为无论是共享账户还是出厂设置账户都能进入系统进行操作。
另一种可能的情况和离开公司的员工有关。因为该员工知道公司的共享密码,这就需要公司重置大量设备和电脑的共享密码,来确保离职的员工无法登入公司系统。最后,同样重要的是,把新密码告诉在职的员工,这样,他们才能继续做自己的工作。
对于安全管理者和系统操作员来说,遗留流程、工具和技术会让他们很难改变系统来适应和抵御新的安全威胁。安全管理者需要通过标准化技术和现代工具提升安全水平。中央用户账户管理结合基于角色的访问控制(RBAC)是集中有效地管理用户帐户和用户权限的最佳途径,同时,它还是最先进的安全解决方案。它还消除了数以百计设备上有非托管用户帐户的噩梦。
技术变革可带来经营效益同时并存网络安全风险
变电站自动化、保护和控制系统在过去的十年里发生了重大变化。系统之间联系更加紧密,为终端用户提供更多信息,这就使依赖性增强,控制水平和生产效率提高。不同厂商产品和不同系统之间的互操作性已经通过利用符合公开标准,如从IEC 61850通信网络和电力系统自动化系列标准,或IEC 60870-5-104遥控设备和系统——第5-104部分 传输协议——IEC 60870-5-101使用标准的传输轮廓和利用现有的以太网技术访问网络。
从操作角度来讲,技术变革给操作带来巨大便利,但也容易给公用事业网络安全造成威胁,这也是传统企业系统多年来一直受到的困扰。网络安全是现代网络的基本要素,但网络设备上分散的访问策略会暴露关键漏洞。
粗心会导致系统易被侵入
自动化网络的异构性质会使任务变得复杂,比如撤销人员凭证或更改默认密码。出厂默认账户从制造商到消费者经常是保持不变的,它甚至可能在设备的整个生命周期都保持不变。这样,不变更出厂默认账户就为攻击者快速访问设备提供了方便,而且他们不需要有任何特殊的技能或知识。
此外,大多数控制和网络设备提供日志功能来记录用户做了什么,但如果所有操作执行都在出厂默认账户的保护下进行,登录信息和审计轨迹便分不清谁做了什么。
准备可能的解决方案
系统控制者和管理者欢迎针对下列问题给予合理答案,以确保系统的安全:
.你想容易地管理用户帐户吗?
.你想从中央点管理公司新员工的访问和权限吗?
.当员工离职后,你想快速从中央位置删除或撤销其用户凭证吗?
.你想把对中央位置的改变立即有效地对公司来自不同供应商的所有产品起作用吗?
.你想消除对于默认用户帐户在非托管的本地设备上活跃的担忧吗?
行业反击战
按照北美电力可靠性协会——关键基础设施保护(NERC CIP)标准的要求,以及许多其他网络安全需求,工业正在走一条共同的未来之路:IEC TS 62351 – 8:电力系统管理和相关信息交换——数据和通信安全——第8部分:基于角色的访问控制。本技术规范规定了供应商应该如何为客户群实施和提供基于角色的访问控制和中央用户帐号管理。
自IEC TS 62351 – 82001年发布以来,用户已经能够用一个特定的用户名和密码在公司所有设备所有网络验证自己身份。此外,添加或删除用户可以集中完成,一键解决。
这种技术不仅能够集中管理用户名和密码,而且可以集中管理用户权限,根据用户在公司的职责将角色分配给他们。(RBAC基于角色的访问控制)
解决噩梦的可能途径
控制系统需要进行管理,以确保基础设施的可持续性。管理系统意味着不断地更新设备。
网络安全策略的管理可能会变得复杂,因此,为了提高效率,安全管理者需要应用软件的支持。基于角色的访问控制系统就是这样一款应用软件。它允许负责人从中央点长期管理用户和他们的角色——甚至从不同位置的多个控制系统。
不是每个人都需要成为系统管理员。网络安全管理最普通的方法是尽可能少地授予每个用户特权。以IEC TS 62351 – 8为基础的基于角色的访问控制系统,能够让公司的安全负责人为整个系统管理用户,并将角色从同一个地方分配给那些用户。
IEC 62351是技术安全的系列国际标准,其目的是确保电力系统专用通信协议如IEC 61850和IEC 60870-5-104的可行性。虽然该系列标准中的大部分已经出台,在符合IEC 62351标准的系统投放市场前仍需做更多的工作。IEC 62351 – 8是于2011年完成并出版,为电力系统定义了基于角色的访问控制。这不是一个新概念,它实际上是许多信息技术系统里最佳实践的一部分。电力系统的基于角色的访问控制,可以减少必须分配给特定用户权限的人数,这些用户只有他们需要履行职责的权限。这就降低了电力系统的风险,因为根据最少特权的原则,只有实际需要时才会分配权限。这套标准还定义了一组预定义的角色(如,浏览器,操作者等)和预定义的权利。
尽可能遵守国际标准
要确保多样的设备网络安全功能的可靠性和高品质,最基本的是尽可能地遵守国际标准。高水平的网络安全仅来自于那些经得起考验的、已经被证实的、标准化的技术和方法,特别是当安装设备来自不同的供应商时。那些不走这条聪明路的公用事业会发现自己沉溺于单一的供货商,听从他们专有解决方案的摆布。
想要优化网络安全,必须要完全了解这个系统。和安全相关的事件,如需要监测不同系统组件的访问和不同系统组件其他用户的活动,来识别潜在的攻击和优化保护。中央用户活动日志从系统设备收集网络安全相关事件,并向负责人员提供信息。一个有效的、用户友好的方式,如自动识别事件模式,就是这种监测程序的重要特征。
基于国际标准(如IEC TS 62351 – 8)的最先进的网络安全产品,使得多厂家的控制系统的基于角色的访问控制的用户账户管理很有效率。这些产品为公用事业提供实时可见的与系统安全相关的用户活动。
专有网络安全的实现应该避免多厂家控制系统的无缝集成。根据IEC TS 62351 – 8,采用互操作的解决方案,会使操作任务更加容易。
Preventing a potential cybersecurity nightmare
Unmanaged user accounts in industrial environments present significant cybersecurity risks
Cybersecurity is now central to the safe operation of industrial installations, but user accounts for many devices used in these installations are not properly managed. Central user account management combined with Role Based Access Control is the perfect solution for managing user accounts and permissions efficiently and centrally while still providing a state of the art security solution. This eliminates the nightmare of having unmanaged user accounts on hundreds of devices.
Too many user accounts are not properly managed
In many cases the factory default user accounts and passwords used in devices in industrial installations are unmanaged and remain unchanged. Shared and / or weak passwords are also an issue.
From a cybersecurity perspective, in today’s interconnected world, both factory default accounts and shared accounts represent a huge cybersecurity risk and are unacceptable. Besides cybersecurity concerns, both factory default and shared accounts can make control system management a nightmare for control system owners.
Consider the case in which a power outage occurs as a result of a changed configuration, but it cannot be established which employee actually changed the configuration because a shared account or a factory default account was used to access the system and make the change.
Another possible scenario is connected with a single employee leaving an organization. Since this member of staff knows a password that is shared by several other employees, a huge effort is required to change this shared password in a number of devices and locations, to ensure that the departing employee can no longer access the system. Last but not least, the remaining employees must also be informed of the new password, so that they can continue to carry out their work.
Legacy processes, tools and technologies can make it hard for security managers and system operators to change systems so as to adapt to and defend against new security threats. Security managers need proven standardized technologies and modern tools to move to the next level. Central user account management combined with Role Based Access Control (RBAC) is the perfect solution for managing user accounts and user permissions centrally and efficiently, while still providing a state of the art security solution. It also eliminates the nightmare of having unmanaged user accounts on hundreds of devices.
Technological change has brought both operational benefits and cybersecurity risks
Substation automation, protection and control systems have changed significantly in the past decade. Systems have become more interconnected and provide end users with much more information, resulting in higher reliability, increased levels of control and higher productivity. Interoperability between different vendor products and systems has been achieved by deploying products and solutions based on open standards such as publications from the IEC 61850 series, Communication networks and systems for power utility automation, or IEC 60870-5-104, Telecontrol equipment and systems – Part 5-104: Transmission protocols – Network access for IEC 60870-5-101 using standard transport profiles, and by leveraging proven Ethernet technology.
This change in technology has brought huge benefits from an operational point of view, but it has also exposed utilities to the kind of cybersecurity threats that have been confronting traditional enterprise systems for years. Cybersecurity is an essential component of modern networks, but fragmented access policies across network devices risk exposing critical vulnerabilities.
Careless practices make system access easy
The heterogeneous nature of automation networks has complicated tasks such as revoking staff credentials, or changing default passwords. Factory default accounts often remain unchanged after handover from manufacturer to customer, and may even remain unchanged on devices for their entire lifetime. Such practices and unchanged factory default accounts make it easy for an attacker to access devices rapidly and without needing to possess any special skills or knowledge.
Furthermore, most control and network devices provide logging capabilities to record what users have done, but if all actions are performed under the umbrella of a factory default account, then the logged information and audit trail say nothing about who has really performed which actions.
Setting the stage for a possible solution
Control system owners and managers would probably welcome positive answers to the following questions to ensure the security of their systems:
- Would you like to manage user accounts easily?
- Would you to like to administer new employees’ access and permissions in your company from a central point?
- Would you like to be able to remove or disable user credentials quickly from a single central location when an employee leaves your company?
- Would you like the changes you made in the central location to be immediately effective on all products from different vendors throughout your organization?
- Would you like to eliminate worry about default user accounts remaining active on unmanaged local devices?
The industry strikes back
Following demands from the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) Standards, and many other cybersecurity requirements, the industry is adopting a common path to the future: IEC TS 62351-8: Power systems management and associated information exchange – Data and communications security – Part 8: Role-based access control. This Technical Specification sets out how vendors should implement and provide RBAC and central user account management to their customer base.
Since the arrival of IEC TS 62351-8 in 2011, users have been able to authenticate themselves across their organization to all devices in all networks, with a user-specific and unique user-id and password. Moreover, the addition or removal of users is done centrally, in a single step.
This technology offers not only the central management of user-ids and passwords, but also the management of user permissions by assigning roles to users, depending on their job roles in the organization (RBAC).
Possible solution for a nightmare scenario
Control systems need to be managed to ensure sustainable infrastructures. Managing a system means continually keeping its devices up-to-date.
The management of a cybersecurity policy can become complex; therefore to be efficient, security managers need support from software applications. A Role Based Access Control system is such an application. RBAC allows responsible persons to be able to manage users and their roles consistently from a central point – even for multiple control systems in different locations.
Not everybody needs to be a system administrator. A common sense approach in cybersecurity management is to grant the fewest possible privileges to every user. A RBAC system based on IEC TS 62351-8 enables the person responsible for security in a company to manage users for the entire system and assign roles to those users from one place.
IEC 62351 is a series of technical security International Standards that aims to secure power system-specific communication protocols such as IEC 61850 or IEC 60870-5-104. While most parts of the series have been released, more work is needed before systems compliant to IEC 62351 can be put on the market. IEC 62351-8, finalized and published in 2011, defines RBAC for power systems. This is not a new concept; it is in fact part of best practice in many IT systems. The use of RBAC in power systems makes it possible to reduce the number of permissions that have to be assigned to certain users so that these users have only the permissions they need to perform their duties. This reduces the risk to the power system, as permissions are only assigned when they are actually needed, according to the principle of fewest privileges. The standard also defines a list of pre-defined roles (e.g., Viewer, Operator, etc.) and of pre-defined rights.
Adhering to International Standards as closely as possible
To ensure high quality and dependable cybersecurity functionality in heterogeneous installations, it is fundamental to adhere to International Standards as far as possible. A high level of cybersecurity can only be achieved by deploying and using reviewed, approved and standardized technologies and methods, especially when installing devices from different vendors. Utilities not following such a wise path can find themselves locked in to a single supplier offering proprietary solutions.
Cybersecurity cannot be optimized without knowing everything that is going on in the system. Security related events, like access and other user activities in different system components, need to be monitored to identify potential attacks and to optimize protection. Central user activity logs collect cybersecurity related events from the system devices and make the information available to responsible personnel. An efficient and user-friendly approach, such as automatic recognition of event patterns, is a key feature of such monitoring applications.
State of the art cybersecurity products based on International Standards such as IEC TS 62351-8 enable efficient RBAC management of user accounts in multi-vendor control systems. They provide utilities with real-time visibility of the security-relevant user activity within their systems.
Proprietary cybersecurity implementations should be avoided for seamless integration of multi-vendor control systems. The adoption of interoperable solutions that accord to IEC TS 62351-8 makes performing these tasks much easier.
About the authors
Frank Hohlbaum – Security Manager Grid Automation,ABB Switzerland Ltd.
Frank is globally responsible for all aspects of cybersecurity within ABB’s Power System Substations and drives the security activities in this business unit. He is an active member of the Power System Security Council and represents the business unit Power System Substations. Frank Hohlbaum joined ABB in 1996 and has 20 years’ experience in substation automation. Frank is a Member of IEC Technical Committee (TC) 57/Working Group (WG) 3: Telecontrol protocols.
Bart de Wijs – Head of Cybersecurity for ABB's Power Grids Division.
Bart represents this division in the ABB Group Cybersecurity Council, which is a cross-disciplinary team staffed with resources from various corporate functions. Additionally, he is a member of the ABB Cybersecurity Response Team, handling vulnerabilities and incidents. Within the division he leads a team of cybersecurity specialists dealing with the different aspects of all the security-related concerns that could affect ABB customers. He is a member of various cybersecurity expert groups. Between 2007 and 2010 Bart was responsible for cybersecurity in ABB’s Power Generation business unit.
Fernando Alvarez – Cybersecurity Technical Product Manager,ABB Switzerland Ltd.
Fernando is responsible for supporting the development of different cybersecurity technologies in ABB products and for managing and tracking ABB’s cybersecurity intellectual property. He is also an active member of IEC TC57/WG15: Data and communication security, the IEC group working on the IEC 62351 series of International Standards for power systems management and associated information exchange. Previously Fernando worked on securing the internal IT infrastructure of banks and on securing military communications.