Mike Holcomb’s Post

Mike Holcomb – If one of your objectives from posting this was to start a conversation, well done, objective achieved. This is one of the most interesting posts I have read on OT/ICS Security on LinkedIn. Thank you. To all the people who are saying don’t use AD in OT at all, how do you propose doing IAM? Hwo do you manage access and authorisation? Do you think having individual logins for each user on the devices they need access to is going to be more secure (over the entire identity lifecycle) than a correctly configured AD (managed by competent resources)? Another consideration, is the criticality and risk profile of the asset (or facility) and the risk appetite of the asset (or facility) owner. Risk Assessment here are critical, then based on the outcomes (and Risk Matrix) put in the required mitigations and controls.

What is more secure 1) Trust build between IT Active Directory and OT Active Directory 2) Multiple LTE/5G multi vendor managed backdoors directly connected to the ICS network

Hi thank you for perspective, there are some pro and some contra elements. My statement is - it depends, every ot environment is different, there are over 100 of ot dialects, sometimes there are legal requirements, historical issues, another domain aso. What’s are about the people in maintenance and engineering, do they have 2 computers with 2 accounts in separated rooms - ….i am a fan of blueprints and architecture … process and architecture follow business. Maybe some controversial and most forgotten aspect what’s about depper OT -the world of realtime, safety and control topics - do we need really a hierarchical system for user and computer at this level..

Then another thougt game.. what is more secure .. a badly maintained/secured localized AD for your plant ICS or a highly secured, maintained and designed global AD?

Great in theory- but OT requires extensive real-time data exchange (imagine a shop floor system without shipping or quality data…). AD isn’t the problem, it’s that OT can’t protect it self. I believe a component in the solution is OT separation on single system/component, like using CASB (smart network segmentation) in OT to segment on all network layers with focus on the application and supervisor layers (using AD and historic traffic=usage instead of static and rare access reviews). PAM is not enough as many OT systems can’t protect them self against simple attack and spill-over from IT on protocol/OS/middleware layers. It’s too hard to operate multiple ADs, basic access controls fail if done manually and it requires separate 3rd party remote access controls to manage all the vendors needed for OT maintenance. Besides: How many attacks have we really see on OT that wasn’t a spill over from IT?

Great point and a very common mistake some organizations make in OT environments! Identifying the risks and separating the AD installs is an excellent practice to prevent attackers from exploiting any possible vulnerabilities. It's better to invest some extra time to keep your networks separate and secure, rather than facing the damage caused by a potential cyber attack, spreading from one highly critical environment to another. Also putting eggs in one basket is never a good idea. Imagine a scenario where your SCADA system is exposed to the internet, attackers finds it on Shodan and exploits well known vulnerability with ease (typical in OT setup as most systems are EOL or hard to patch without significant manufacturing downtime = costs), attacker gains access to OT network, soon discovers some assets are connected to global AD, moves laterally to IT. Now instead of having just OT problem, you have also IT problem, which should directly trigger an org-wide crisis scenario. Worst of it? Crisis mode becomes a norm. I still think strategically it's always better to spend extra time, money and efforts on isolation and strong architecture, rather than losing money, customers and their trust, because of OT downtime.

And HARDEN the ICS/OT AD for heavens sake. Tier the AD. Abstracting control and admin to a secure v-PAW hosted in the cloud is possible too.

Folks still do this? Most IT shops don’t understand the business much less business risk and impact associated with OT environments. Having a common trust zone is overall a bad idea and has been for awhile. Also don’t go connecting this stuff to authentication services in the cloud. Our systems need to be able to operate without the internet if needed. Any dependency on the cloud you put into place you are placing your success and failure in someone else’s hands. Not a good idea for critical infrastructure OT systems or important to safety systems.

Thank you for sharing your point of view. Moving into a digital era where almost everything is centralized, there are successful use cases where the OT Active Directory has been securely integrated with Enterprise IAM solution to track the joiners, leavers and movers for a centralized identity solution. It depends on how securely this integration can be done. A trust between the OT Active Directory to a second layer of Active Directory in the DMZ to replicate only the user group and computers thereby allowing it to be integrated securely to enterprise IAM solution, but rather stil manage the group policies locally is still a secured way of integrating for the purpose of centralized Identity.