How Managing Privileged Accounts Can Help You With Maintaining NERC CIP Requirements

No ratings

Presented at ICScybersecCon 2014 by

Allowing remote connectivity to critical Industrial Control Systems (ICS) and other Operational Technology (OT) has major operational and business benefits; however, it has introduced new risks to the once isolated ICS environment especially when privileged ICS/OT accounts are accessed remotely by a third party. These accounts provide broad powers and are the most common entry points for attackers to target ICS systems. This presentation will unveil new information collected from real-world networks of leading energy, utility, oil and gas companies that demonstrates the poor security state that privileged accounts are in and how Pass the Hash (PtH) attacks could take advantage of them. The data collected from these operational networks will show: What percentage of machines have hashes on them; The escalation model for password hashes and how one machine can lead to a network breakdown; The pathway hackers can take across a network from one single password hash; How the percentage of vulnerabilities grows exponentially as an attacker works his way through a network; The machines at greatest risk of having an exposed password hash – and how this relates to other machines, applications and systems on a network. This real-world research will shine new light on common critical infrastructure weaknesses many companies have yet to address. For example, from our experience of joint IT/ICS projects it became apparent that several companies were using a privileged account management infrastructure originally intended for the IT side to manage accounts in the ICS environment as well. The need for a required separation between networks was not being addressed. Attendees will walk away with an understanding of the challenges of network separations based on our real-world data, the steps they can take to implement a privileged account management system and how its implementation can be used to protect against Pass-the-Hash (PtH) attacks.