The importance of IAM in OT cybersecurity

In the oil and gas industry and other energy organizations, operational technology (OT) systems are essential to the safe and secure extraction, transport and refinement of natural resources.

Unfortunately, those OT systems are potentially becoming more vulnerable to the kind of cyber attacks that can result in downtime, supply chain disruptions, environmental issues and even threats to human health and national security.

The challenge is that oil and gas companies are increasingly relying on new technologies such as the Internet of Things (IoT) and the Industrial Internet of Things (IIOT). While this was hastened by the pandemic, the adoption of these new technologies makes sense from a business and operational standpoint. This also may mean the shift to them is ongoing and inevitable. The need for operational efficiency is also driving OT and Information Technology (IT) convergence, where traditionally segregated OT environments are being connected to the internet.

The more connections, the more cyber risk

According to the International Energy Agency, cyber attacks against energy companies pose a significant and growing threat. At the end of the previous decade, the sector won the dubious distinction of being the number one target for bad actors, representing 16% of all attacks worldwide. Those breaches come with significant costs. In 2021, the energy industry’s cost per data breach averaged more than $4 million. In 2022 and beyond, we see this trend to continue growing as attackers grow their footprints moving from IT to OT.

History is evidence that most cybersecurity incidents typically start with compromised credentials that are then used to enter corporate or OT networks and exploit further vulnerabilities across various systems. Having strong identity and access management (IAM) controls implemented can help reduce the attack surface for any organization and increase resilience against future attacks.

What’s holding the industry back? A “don’t fix what ain’t broke” mindset has resulted in companies delaying modernization of IAM controls in OT environments, leaving organizations with siloed, manual and often insecure IAM solutions.

The regulatory tide is changing

Cybersecurity laws, regulations and memorandums such as the US National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems will encourage global organizations to consider rationalization of IAM controls, as well as more robust overall cyber defense against, for example, ransomware and data protection. While meeting these goals will take some work, the improvements in cybersecurity will be well worth it.

But it should not stop there. More needs to be done to help secure OT environments and this puts the focus squarely on IAM. This is because IAM is at the heart of this journey to secure OT environments.

IAM is one of the most important cybersecurity domains because it enables organizations to help protect their critical systems from unauthorized access. It possesses this capability because it spans several control families, including identity governance, access management, privileged access, access reviews and remediation.

IT IAM vs. OT IAM – are they the same?

The answer is no. IAM is more than a technology and a tool set. Secure, reliable and sustainable IAM solutions are a combination of people, process and technology. Organizations that try to implement IAM solutions in OT the same way they did in IT are attempting to fit a square peg in a round hole.

Implementation of IT IAM processes in an OT environment usually is met with push back from OT teams or by bypassing IAM controls with shadow processes. IAM processes such has how access is requested, approved and granted for OT, and most importantly, how users access systems in remote parts (middle of nowhere with no connectivity to receive an SMS for MFA is a classic example) are very different than what we see in IT. Unless OT IAM processes are implemented to make life easier for OT practitioners, organizations continue to stand risk of non-adoption. This can lead to self-inflicted business disruptions and a degraded customer experience.

Effective implementation of IAM enables organizations to answer key questions about who has access to what, how they got that access, whether that access is still needed and how to remove unneeded access quickly and consistently. Organizations have matured in answering a question “Who has access to what, how they got it, what they are doing with that access, and do they still need that access?” in IT. Tying OT access to “identity” will extend the framework for “identity as a perimeter” into OT environments. We have and continue to see, that while accesses are tied to identities in IT, that concept is in early stages in OT environments. Simply put, when a person leaves an organization “remove all her/his access not just to IT, but also to OT environments”.

How to do IAM right in OT environments?

It's important to find ways to make security programs less like seat belts (only effective if you use them) and more like airbags (always on, and ready to deploy, with no human intervention).

Successful IAM implementation in OT requires deep understanding of OT processes, architecture, the Purdue Model and more. IAM technologies are extremely well-suited to enable the next generation of smarter sensors. This is because identity has a unique visibility to the data used to establish trust. Thus, it 'owns' many of the administrative and runtime controls for defining and enforcing access policies (see Figure 1).

When working with client OT environments, it's important to create a baseline identifying who should have access to what, along with a complete accounting of how access was authorized and acquired over time. From there we move on to establishing an authoritative identity data for authenticating known users, devices and workloads and metadata for describing users and permissions, which in turn drives lifecycle automation. This is accompanied by establishing the rules that govern the right-sized allocation of access and its business-appropriate use.

Use IAM to drive what good looks like

This is true throughout the environment, but most importantly as it relates to critical infrastructure and privileged access. Examples of proper controls include account discovery processes to detect the creation of rogue accounts or the existence of accounts that become orphaned due to lifecycle changes; 'drift' controls that detect and correct deviations from access baselines that may include illegitimate elevation of privileges; and organizational, functional, policy or role-based ways to define the appropriate assignment of access. In addition, IAM can and should help with certification controls to improve ongoing business accountability related to appropriate access, as well as just-in-time access controls to mitigate risk associated with standing privileged access.

IAM and OT: Top 10 recommendations for energy industry

1. Assess the maturity of IT IAM solutions and review lessons learned by IT's deployment of IAM.
2. Using a safe environment that accurately reflects 'real life' (such as our Cyber Fusion Centers), identify the most serious security risks and go on to identify how they can be mitigated with IAM controls.
3. Adopt risk-based approaches, first securing administration/privileged accounts.
4. Look for opportunities for standardization in the current OT environment landscape, architecture and existing IAM processes.
5. Centralize identity governance to reduce residual risks from leavers (employee and contractors), and third-party users.
6. Develop a strategy to depart from legacy authentication mechanisms and implement strong and multifactor authentication.
7. Prioritize automation.
8. Modernize remote access technologies to strengthen ingress points.
9. Develop and implement a strategic IAM program to support OT from strategy through operations (hire and retain skill sets from within the energy Industry, OT and IAM).
10. Keep in mind that it's critical to take a holistic approach, and to consider working with a partner that is highly experienced in IAM and OT/Industrial Control System cybersecurity.

About Accenture

Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Interactive, Technology and Operations services — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 699,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at accenture.com.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.