“Passwords are a commonly employed mechanism of access control for computing systems. They also play a role in securing OT environments. But first, let’s talk about how OT systems are typically secured.
“The Purdue Model is the most common way an ICS network is architected and secured. It relies heavily on segmentation and takes a layered approach where the most sensitive components directly attached to equipment run at the lowest layers and are the most protected. Typically, each layer is on a separate LAN or VLAN, and firewalls control access between the layers.
“Surprisingly, the most sensitive devices running at the lowest layers – programmable logic controllers (PLCs), often have the weakest access controls. Historically, this has been due to the fact that they’re protected behind multiple layers of firewalls and only someone physically onsite is able to access them directly. However, emerging malware threats like Stuxnet, CrashOverride, Pipedream, Havex, and BlackEnergy demonstrate the ability to breach even air-gapped systems. This can be accomplished by infecting a technician’s laptop which is later connected to the network containing PLCs.
“It’s therefore becoming more and more important to make sure every piece of equipment – including PLCs is protected with the strongest possible access controls. If available, cryptographic keys provide the best access control. You cannot guess or brute force a properly generated cryptographic key and cryptographic keys are a lot easier to manage and control, including the ability to easily and rapidly revoke them if compromised.
“If asymmetric cryptographic access controls are unavailable on a PLC, passwords should be used following best practices. This includes periodic password rotation and minimum complexity requirements. Of course these passwords need to be properly stored and secured.
“Gateways and systems such as HMIs (Human Machine Interfaces) running at higher layers should be protected by multifactor authentication, and every interaction should be logged and monitored.
“For this World Password Day, remember that relying on a single password for access control carries the most risk, especially in an OT environment. With some OT devices, that might be the only security mechanism a device supports. However, where possible, it’s best to use cryptographic controls and multifactor authentication and rotate and protect your passwords!” — Nicholas Miles, Staff Research Engineer at Tenable