Today cyber security has become an essential part in all industrial installations. Many devices in these installations, such as Remote Terminal Unit’s (RTU’s), Intelligent Electronic Device’s (IED’s) and Network Equipment have either local Human-Machine Interface’s (HMI’s) on the device, a command line interface or a web/cloud based interface that requires user authentication. The user accounts used in these devices are typically unmanaged and in many cases the factory default user accounts and passwords remain unchanged. If the default passwords are changed there is the risk that some of these will be forgotten, especially when they differ from device to device. Also problematic is the usage of very weak passwords which are shared by many users in an organization.
From a cyber security perspective, in today’s digitally connected world, both factory default accounts and shared accounts represent a huge cyber security risk and are unacceptable nowadays. Besides cyber security concerns, both factory default and shared accounts can make control system management a nightmare for the control system owner. Consider the case in which a power outage has occurred as a result of a changed configuration, but it cannot be determined which employee actually changed the configuration, because a shared account, or a factory default account was used to access the devices. Or the case when a single employee leaves the organization, and because that employee knows a password that is shared by several employees, a huge effort is required to change the shared password in many devices, in many locations, in order to ensure that the departing employee can no longer access the system. Last but not least, the remaining employees must be informed of the new password, so that they can continue to perform their work.
Five challenges faced by security managers of industrial installations.
- Managing user accounts easily.
- Administering new employees’ access and permissions in your company from a central point.
- Quickly removing or disabling user credentials from a single central location when an employee leaves your company.
- Implementing centrally configured changes on all products from different vendors, throughout your organization.
- Removing the concern regarding default user accounts that remain active on unmanaged local devices.
See the unseen from a new perspective
Control systems need to managing to ensure sustainable infrastructures. Managing a system means to continually keep its devices up to date. The management of a cyber security policy can become complex, therefore to be efficient, security managers need support from a Role Based Access Control System (RBAC) software applications such as ABB’s System Data Management software – SDM600. SDM600 allows the responsible persons to be able to manage users and their roles consistently from a central point - even for multiple control systems in different locations.
Three steps to smarter protection for your system
ABB’s Grid Automation service team utilizes a three-stepped approach to smarter system protection, based on international standards such as IEC62351-8, to recommend solutions to challenges faced by industrial and utility customers that enable efficient RBAC management of user accounts in multi-vendor control systems. ABB’s SDM600 software can also provide utilities with state of the art cyber security via real-time visibility of the security relevant user activity within their systems.